Please add my name also. Good work.

Nicolas Adam

On 13/03/2015 2:11 PM, Kathy Kleiman wrote:
>
>
> Dear All,
>
> Attached please find an important set of comments. They are to the 
> Whois Accuracy Pilot Study Report – by a group of researchers at the 
> University of Chicago called NORC. Buried in this report turns out to 
> be a many issues important to us in the Whois domain name registration 
> databases – including the question of postal addresses (should we be 
> validating and publishing the physical addresses of political 
> dissident groups, religious minorities, girls’ schools in areas where 
> many do not like girls education?Is there a danger to be evaluated 
> *before* we undertake this new policy?)
>
> Identity Validation is a very open question as well, yet NORC seems 
> ready to start work in this area. I have written a set of questions 
> that say STOP – and let’s consider the policy implications of these 
> acts before we develop plans to put them into effect. The comments are 
> below (with a full copy attached).
>
> *They are due tonight!If you can sign on, please do. Please let me 
> know your name and/or organization and/or country.*
>
> **
>
> Great tx to Stephanie Perrin for editing! Here are some thoughts of 
> members on our Policy Committee:
>
> -Kathy’s drafted, what I believe to be, an excellent comment in 
> response. – Amr Elsadr
>
> -Great job Kathy!!  I support this document.  -- Stephanie Perrin
>
> -Feel free to add my name as endorsing the document – Ed Morris
>
> Best and tx!!
> Kathy (Kleiman)
>
> *
> WHOIS Accuracy Pilot Study Report*
>
> Burying Extremely Divisive Policy Questions in a Technical 
> Implementation Report Written by an ICANN Contractor is Improper and, 
> in this Case, Dangerous
>
>
> These are comments written in response to the WHOIS Accuracy Pilot 
> Study Report. Buried in this Report – which purports to be an 
> implementation report of an ICANN Contractor (NORC/University of 
> Chicago) -- are some of the most controversial and unsettled issues in 
> ICANN policy discussions and history. These issues are the subject of 
> deep and bitter divides over many years of ICANN work, the subject of 
> interest across the world, and the focus of a series of explosive 
> comments in Singaporewhen the ICANN Community began to realize what 
> was happening.
>
>
> It is inappropriate in the extreme, for ICANN policy issues to be 
> buried in a ICANN Contractor’s implementation report, and even 
> further, deep in its Appendix B,/Next Steps for the Development of the 
> WHOIS Accuracy Report System (ARS). /This follows pages of study 
> “methods and approach” language and sample design which are obscure 
> even to those who follow Whois policy issues on a regular basis.We 
> submit that after the many years of heated controversy over this 
> topic, it is disingenuous at the very least to allow this to happen 
> policy debate to continue its development in this manner.
>
> We are deeply concerned that ICANN Staff has not flagged this Report, 
> or this Comment Proceeding, for what it appears to be – a process to 
> seek permission from the ICANN Community for the:
>
> a)*wholesale checking of the physical addresses of online speakers 
> across the world (whether using domain names for political speech, 
> personal speech, or religious, ethnic or sexual minority 
> expression)*thus creating an unprecedented inextricable link between a 
> speaker and her physical location, and
>
> b)*the**radical new concept of Identity Validation for each and every 
> domain name Registrant to the ICANN Community, *a concept with 
> inconceivable implications for political, ethnic and religious 
> minorities worldwide, as well as entrepreneurs, emerging organizations 
> and those operating today without identities who seek to create them.
>
> We respectfully add the issues below to this debate.
>
> *I.**ICANN has never been given a mandate for Address Checking on a 
> Massive Scale*
>
> Although the Contractor’s Report seems to suggest that the ICANN 
> Community has approved the massive checking of postal addresses in the 
> existing gTLD Whois databases, that is not the case.
>
>
> A.The Whois Review Team Final Report set the standard of 
> “contactability” -- reaching the domain name registrant with questions 
> and concerns – not absolute accuracy of all data in the whois
>
> The Current NORC Study (2014) and its accompanying ICANN Staff Summary 
> accompanying this NORC’s Pilot Report misrepresent the WHOIS Policy 
> Review Team Final Report and its Recommendations. The goal of the 
> Whois Review Team was “Contactibility” and “Reachability” of the 
> Registrant. To this end WHOIS Policy Review Team Final Report looked 
> “holistically” at the Whois record and did not seek the accuracy of 
> each and every element of a Registrant’s Whois record.
>
>
> Specifically, the NORC Report of 2009/2010 (an earlier report called 
> the NORC Data Accuracy Study) created five categories for ranking the 
> data quality of a Whois record: *Full Failure* (overwhelmingly 
> inaccurate); *Substantial Failure* (most data inaccurate); *Limited 
> Failure* (data to some degree present and considered useful); *Minimal 
> Failure* (may benefit from additional information, but data provided 
> is accurate) and *No Failure *(data complete and accurate).
>
> */
> The Whois Review Team called for ICANN to significantly reduce the 
> number of “Full Failure” and “Substantial Failure” Whois Records --- 
> Avoidance of “No Failure” was not a goal at all./*As shared many times 
> in meetings of the Whois Review Team and members of the ICANN 
> Community, including the GAC, what the WHOIS Review Team recommended 
> was that Whois information be sufficiently available and accurate for 
> the Registrant to be reached –for legitimate technical, administrative 
> and other questions: [Recommendation] “*6. ICANN 
> shouldtakeappropriatemeasurestoreduce thenumberofWHOIS 
> registrationsthatfallintotheaccuracygroupsSubstantial Failureand Full 
> Failure(asdefinedbytheNORCDataAccuracyStudy,2009/10)by50%within12months andby50%againoverthefollowing12months.*”
>
>
> Thus, for the Whois Review Team, “No Failure” (full accuracy of all 
> fields) was */not the goal/*;“contactability” and “reachability” of 
> Registrants was.
>
>
>         B. 2013 Registrar Accreditation Agreement
>
>
> The WHOIS Review Team Final Report noted that efforts were already 
> underway to improve accuracy and contactibility of Registrants in the 
> then-pending “direct negotiations with Registrars on revisions to the 
> RAA.” These negotiations resulted in the 2013 RAA which furthered the 
> goal of reaching Registrants through verified phone numbers and email 
> addresses:
>
> 1.f : “Verify:
>
> i.the email address of the Registered Name Holder (and, if different, 
> the Account Holder) by sending an email requiring an affirmative 
> response through a tool-based authentication method such as providing 
> a unique code that must be returned in a manner designated by the 
> Registrar, or
>
> ii.the telephone number of the Registered Name Holder (and, if 
> different, the Account Holder) by either (A) calling or sending an SMS 
> to the Registered Name Holder's telephone number providing a unique 
> code that must be returned in a manner designated by the Registrar, or 
> (B) calling the Registered Name Holder's telephone number and 
> requiring the Registered Name Holder to provide a unique code that was 
> sent to the Registered Name Holder via web, email or postal mail.
>
> As with the Final Report of the Whois Review Team, the goal of the 
> 2013 RAA was “contactability” and “reachability” of the domain name 
> Registrant for technical or administrative questions by third parties.
>
> C.Where Did the “No Failure” Standard Come From for NORC – the 
> Validation and Verification of Each and Every Whois Element Without 
> Policy Processes or Assessments of the Risks and Harms?
>
> Consistent with the Whois Review Team Final Report and the 2013 RAA, 
> we can understand the NORC methodology and approach to checking email 
> addresses and telephone numbers – but postal address validation?Where 
> is the underlying GNSO Policy driving this direction to NORC from 
> ICANN Staff?
>
> */Where is the assessment of the risks and benefits of updating the 
> physical addresses of hundreds of millions of political, personal, 
> religious, ethnic and sexual speakers – including dissidents, 
> minorities and those discriminated against by the laws and customs of 
> various regions?/*Where is NORC evaluating the wholesale and massive 
> verification of postal address in the existing gTLD WHOIS databases 
> without such an assessment?How did ICANN Staff come to direct it?
>
>
> The NORC Contractor seems to have jumped from the logical – checking 
> email and phone – to checking physical addresses. But this leap from 
> an open and undecided policy question to a mere implementation issue 
> should be disturbing to everyone in the ICANN Community. What we know 
> from history and the most tragic of recent events is that speech and 
> physical location are a dangerous combination.
>
>
> When individuals armed with automatic rifles wish to express their 
> disagreement with the legal speech of a satirical magazine, they find 
> the location in Parisand kill writers, publishers and cartoonists. 
> When they want to express contempt for those practicing another 
> religion, they bring their guns to kosher grocery stores in Parisand 
> synagogues in Copenhagen. Tracking down and beheading Christian 
> minorities is a horror of daily life in some parts of the world.
>
>
> The UN Declaration of Human Rights, adopted in 1948, states:
>
>   * Everyone has the right to freedom of opinion and expression; this
>     right includes freedom to hold opinions without interference and
>     to seek, receive and impart information and ideas through any
>     media and regardless of frontiers.
>
>
> It does not say that everyone must put their address on that speech. 
> Where, as here, the Internet has become the major path of 
> communication for that speech, the requirement of a physical address 
> for every speaker may well violate the requirement of the right to 
> speak and the protection for that expression.
>
>
> Further, the validation of postal addresses represents a major change 
> of policy – one not mandated or requested by the Whois Review Team, 
> the 2013 RAA or by any Policy-Development Team we know of.
>
> Who has evaluated the impact and dangers of wholesale adoption of 
> postal address validation of the long-existing gTLD Whois databases– 
> especially in a world that has changed dramatically in the last few 
> years – where entire governments have risen and fallen, where formerly 
> free countries and regions are enslaved by terrorist organizations and 
> a new set of dictators? While proxy/privacy registrations are 
> available, */they are a costly luxury for many and completely unknown 
> to others/*.
>
>
> The mandatory validation of the massive number of postal addresses in 
> the gTLD Whois database – as appears to be the policy proposal buried 
> between methodology and sample sizes in the Contractor’s report -- 
> will result in the dangerous, harmful, even life-threatening exposure 
> of those using their domain names for nothing more than communicating 
> their ideas, concerns, political hopes, and religious meetings via 
> private streams of domain name communications, such as on listservs 
> and email addresses, and more public resources including websites and 
> blogs.
>
>
> No policy we know has ever directed ICANN Staff to instruct a 
> Contractor to engage in massive Postal Address Validation – and no 
> policy development process we know has studied, weighed, debated or 
> valued the enormous impact to speech and expression of going back over 
> 25+ years of domain names registrations to suddenly “correct” the 
> postal address and thereby expose battered women’s shelters, women’s 
> schools in Pakistan, pro-democracy groups, family planning groups and 
> LBGQT locations worldwide.
>
>
> If this is the policy we in ICANN choose to adopt in the future (as we 
> certainly have NOT adopted it already), then it will require enormous 
> amounts of preparation, notice and warning to gTLD domain name
> registrants on a global scale. Absent that, we know (without doubt or 
> hyperbole) that ICANN will have blood on its hands.
>
> Overall, ICANN’s Contractor NORC seems to have jumped into 
> policy-making, not mere implementation.
>
> *
> II. ****Identity Validation – Really? *
>
>
> Buried deep in Appendix B, of the Contractor’s Report, behind 
> “syntactic accuracy” and “operational accuracy” is the explosive issue 
> of “exploring accuracy from an identity perspective” (page 45).
>
> At no time has ICANN ever held a Policy Development Processes on 
> Identity Validation. Accordingly, where does this guidance from ICANN 
> to its Contractor to explore identity validation implementation come 
> from?For those who attended the public Whois meeting in LA, this issue 
> certainly was not flagged in the discussion; for those who attended 
> the public meeting in Singapore, this issue was introduced and 
> IMMEDIATELY FLAGGED as intensely controversial and divisive.
>
>
> Identity validation of those engaged in freedom of expression, 
> publishing and political discussion is a deeply controversial prospect 
> – and one with heartfelt objection and opposition grounded in history 
> and law. The United States, for example, sought to be free of 
> Englandin part because of the mandatory licensing of its printing 
> presses – and the arrest of all who published objections to actions of 
> the English crown. Pamphlets issued without names and addresses are 
> not just a cultural right in the US, but a constitutional 
> one./McIntyre vs. //Ohio//Elections Commission, 514 //U.S.//334 (US 
> Supreme Court, 1995). /
>
>
> A.The GAC asked for a weighing of the risks and benefits
>
> We note that the GAC has not issued policy in this area. According to 
> the “Brief Overview” provided by ICANN as introduction to this 
> Contractor Report and this public comment period, the GAC “asked for 
> an assessment of the feasibility, costs and benefits of conducting 
> identity validation as part of the development of the ARS.”
>
>
> Nowhere in this report do we see any assessment of the costs, delays, 
> risks and harms that might be incurred by gTLD Registrants, Registrars 
> and Registries worldwide if identity validation were adopted. Nowhere 
> do we even see an analysis of how identity validation takes places, 
> what happens when a minority seeks to register, or when a speaker must 
> disclose and show her identification as the cost of signing up for a 
> domain name highlighting family planning, women rights, or women’s 
> education in parts of the world not as conducive to these fundamental 
> rights and basic principles. Must she go through her father for this too?
>
>
> B.ICANN has promised a policy making process.
>
> In his response to the GAC on this issue, Dr. Crocker noted concerns:
>
> The costs of operating the Accuracy Reporting System are largely dependent
>
> upon the number of WHOIS records to be examined, as well as the level of
>
> validation (syntactic, operational, or identity). For example, the initial
>
> responses to the ICANN RFP reveal that identity validation services 
> are both
>
> costly and difficult to administer on a global basis. */There may also 
> be data/*
>
> */protection and privacy issues of concern to the community when 
> conducting/*
>
> */extensive identity validation on WHOIS records./*Hence, the costs of
>
> completing the development of Phase 3 will be determined based on
>
> engagement with the community to identify the appropriate level of 
> identity
>
> validation for ICANN to conduct, as well as the costs associated with
>
> performing identity validation on a global scale. 
> (https://www.icann.org/en/system/files/correspondence/crocker-to-dryden-02sep14-en.pdf, 
> emphasis added.)
>
>
> As always, policy development must proceed implementation. We call on 
> ICANN to take this discussion out of the recesses of a Contractor 
> report, and into the light of the policy development process.
>
> *
>         III**. Wide Outreach Needed*
>
> One thing the Whois Review Team did note in its Final Review is the 
> need for clear and concerted outreach on issues that impact the Whois: 
> “We found great interest in the WHOIS policy among a number of groups 
> that do not traditionally participate in ICANN’s more technical 
> proceedings. They include the law enforcement community, Data 
> Protection Commissioners, and the privacy community more 
> generally.”The Whois Review Team’s recommendation specifically call 
> for active and concerted outreach to these communities of its issue:
>
> */Recommendation 3 - Outreach /*
>
> ICANN should ensure that WHOIS policy issues are accompanied by 
> cross-community outreach, including outreach to the communities 
> outside of ICANN with a specific interest in the issues, and an 
> ongoing program for consumer awareness.
>
>
> That has clearly not happened here – when so much of substance is 
> buried so deeply in the back of a report. When will ICANN be 
> undertaking clear, robust global Outreach on these important freedom 
> of expression and privacy issues and implications?
>
> *
> IV.**Finally, let’s Add Policy Staff and Freedom of Expression and 
> Data Protection Expertise*
>
> We ask that an ICANN Staff deeply steeped in data protection and 
> freedom of expression laws and rights be brought on to work on the 
> development of these address and identity issues. We understand that 
> ICANN feels previous backgrounds of its staffers do not limit their 
> activities, but the perception and reality of this issue would be 
> considered much more balanced if the ICANN Staffers of the project 
> hailed from an array of backgrounds and had represented multiple sides 
> of this issue in their prior lives.
>
> *
> V.**Conclusion*
>
> We can’t bury wholesale physical address checking and the new concept 
> of identity validation in the back of a Contractor Report. These are 
> NOT policies examined or endorsed by the whole of the ICANN or even 
> the GNSO communities, nor policies evaluated yet by the whole of the 
> ICANN Community. The risks and benefits must be assessed before the 
> implementation is planned.
>
>
> Signed,
>
>
> MEMBERS OF THE NONCOMMERCIALS STAKEHOLDERS GROUP
> [name, and/or organization, and/or country]
>