Please add my name as well.

-- 
Tapani Tarvainen

On Fri, Mar 13, 2015 at 02:54:52PM -0400, Nicolas Adam ([log in to unmask]) wrote:

> Please add my name also. Good work.
> 
> Nicolas Adam
> 
> On 13/03/2015 2:11 PM, Kathy Kleiman wrote:
> >
> >
> >Dear All,
> >
> >Attached please find an important set of comments. They are to the
> >Whois Accuracy Pilot Study Report – by a group of researchers at
> >the University of Chicago called NORC. Buried in this report turns
> >out to be a many issues important to us in the Whois domain name
> >registration databases – including the question of postal
> >addresses (should we be validating and publishing the physical
> >addresses of political dissident groups, religious minorities,
> >girls’ schools in areas where many do not like girls education?Is
> >there a danger to be evaluated *before* we undertake this new
> >policy?)
> >
> >Identity Validation is a very open question as well, yet NORC
> >seems ready to start work in this area. I have written a set of
> >questions that say STOP – and let’s consider the policy
> >implications of these acts before we develop plans to put them
> >into effect. The comments are below (with a full copy attached).
> >
> >*They are due tonight!If you can sign on, please do. Please let me
> >know your name and/or organization and/or country.*
> >
> >**
> >
> >Great tx to Stephanie Perrin for editing! Here are some thoughts
> >of members on our Policy Committee:
> >
> >-Kathy’s drafted, what I believe to be, an excellent comment in
> >response. – Amr Elsadr
> >
> >-Great job Kathy!!  I support this document.  -- Stephanie Perrin
> >
> >-Feel free to add my name as endorsing the document – Ed Morris
> >
> >Best and tx!!
> >Kathy (Kleiman)
> >
> >*
> >WHOIS Accuracy Pilot Study Report*
> >
> >Burying Extremely Divisive Policy Questions in a Technical
> >Implementation Report Written by an ICANN Contractor is Improper
> >and, in this Case, Dangerous
> >
> >
> >These are comments written in response to the WHOIS Accuracy Pilot
> >Study Report. Buried in this Report – which purports to be an
> >implementation report of an ICANN Contractor (NORC/University of
> >Chicago) -- are some of the most controversial and unsettled
> >issues in ICANN policy discussions and history. These issues are
> >the subject of deep and bitter divides over many years of ICANN
> >work, the subject of interest across the world, and the focus of a
> >series of explosive comments in Singaporewhen the ICANN Community
> >began to realize what was happening.
> >
> >
> >It is inappropriate in the extreme, for ICANN policy issues to be
> >buried in a ICANN Contractor’s implementation report, and even
> >further, deep in its Appendix B,/Next Steps for the Development of
> >the WHOIS Accuracy Report System (ARS). /This follows pages of
> >study “methods and approach” language and sample design which are
> >obscure even to those who follow Whois policy issues on a regular
> >basis.We submit that after the many years of heated controversy
> >over this topic, it is disingenuous at the very least to allow
> >this to happen policy debate to continue its development in this
> >manner.
> >
> >We are deeply concerned that ICANN Staff has not flagged this
> >Report, or this Comment Proceeding, for what it appears to be – a
> >process to seek permission from the ICANN Community for the:
> >
> >a)*wholesale checking of the physical addresses of online speakers
> >across the world (whether using domain names for political speech,
> >personal speech, or religious, ethnic or sexual minority
> >expression)*thus creating an unprecedented inextricable link
> >between a speaker and her physical location, and
> >
> >b)*the**radical new concept of Identity Validation for each and
> >every domain name Registrant to the ICANN Community, *a concept
> >with inconceivable implications for political, ethnic and
> >religious minorities worldwide, as well as entrepreneurs, emerging
> >organizations and those operating today without identities who
> >seek to create them.
> >
> >We respectfully add the issues below to this debate.
> >
> >*I.**ICANN has never been given a mandate for Address Checking on
> >a Massive Scale*
> >
> >Although the Contractor’s Report seems to suggest that the ICANN
> >Community has approved the massive checking of postal addresses in
> >the existing gTLD Whois databases, that is not the case.
> >
> >
> >A.The Whois Review Team Final Report set the standard of
> >“contactability” -- reaching the domain name registrant with
> >questions and concerns – not absolute accuracy of all data in the
> >whois
> >
> >The Current NORC Study (2014) and its accompanying ICANN Staff
> >Summary accompanying this NORC’s Pilot Report misrepresent the
> >WHOIS Policy Review Team Final Report and its Recommendations. The
> >goal of the Whois Review Team was “Contactibility” and
> >“Reachability” of the Registrant. To this end WHOIS Policy Review
> >Team Final Report looked “holistically” at the Whois record and
> >did not seek the accuracy of each and every element of a
> >Registrant’s Whois record.
> >
> >
> >Specifically, the NORC Report of 2009/2010 (an earlier report
> >called the NORC Data Accuracy Study) created five categories for
> >ranking the data quality of a Whois record: *Full Failure*
> >(overwhelmingly inaccurate); *Substantial Failure* (most data
> >inaccurate); *Limited Failure* (data to some degree present and
> >considered useful); *Minimal Failure* (may benefit from additional
> >information, but data provided is accurate) and *No Failure *(data
> >complete and accurate).
> >
> >*/
> >The Whois Review Team called for ICANN to significantly reduce the
> >number of “Full Failure” and “Substantial Failure” Whois Records
> >--- Avoidance of “No Failure” was not a goal at all./*As shared
> >many times in meetings of the Whois Review Team and members of the
> >ICANN Community, including the GAC, what the WHOIS Review Team
> >recommended was that Whois information be sufficiently available
> >and accurate for the Registrant to be reached –for legitimate
> >technical, administrative and other questions: [Recommendation]
> >“*6. ICANN shouldtakeappropriatemeasurestoreduce thenumberofWHOIS
> >registrationsthatfallintotheaccuracygroupsSubstantial Failureand
> >Full Failure(asdefinedbytheNORCDataAccuracyStudy,2009/10)by50%within12months
> >andby50%againoverthefollowing12months.*”
> >
> >
> >Thus, for the Whois Review Team, “No Failure” (full accuracy of
> >all fields) was */not the goal/*;“contactability” and
> >“reachability” of Registrants was.
> >
> >
> >        B. 2013 Registrar Accreditation Agreement
> >
> >
> >The WHOIS Review Team Final Report noted that efforts were already
> >underway to improve accuracy and contactibility of Registrants in
> >the then-pending “direct negotiations with Registrars on revisions
> >to the RAA.” These negotiations resulted in the 2013 RAA which
> >furthered the goal of reaching Registrants through verified phone
> >numbers and email addresses:
> >
> >1.f : “Verify:
> >
> >i.the email address of the Registered Name Holder (and, if
> >different, the Account Holder) by sending an email requiring an
> >affirmative response through a tool-based authentication method
> >such as providing a unique code that must be returned in a manner
> >designated by the Registrar, or
> >
> >ii.the telephone number of the Registered Name Holder (and, if
> >different, the Account Holder) by either (A) calling or sending an
> >SMS to the Registered Name Holder's telephone number providing a
> >unique code that must be returned in a manner designated by the
> >Registrar, or (B) calling the Registered Name Holder's telephone
> >number and requiring the Registered Name Holder to provide a
> >unique code that was sent to the Registered Name Holder via web,
> >email or postal mail.
> >
> >As with the Final Report of the Whois Review Team, the goal of the
> >2013 RAA was “contactability” and “reachability” of the domain
> >name Registrant for technical or administrative questions by third
> >parties.
> >
> >C.Where Did the “No Failure” Standard Come From for NORC – the
> >Validation and Verification of Each and Every Whois Element
> >Without Policy Processes or Assessments of the Risks and Harms?
> >
> >Consistent with the Whois Review Team Final Report and the 2013
> >RAA, we can understand the NORC methodology and approach to
> >checking email addresses and telephone numbers – but postal
> >address validation?Where is the underlying GNSO Policy driving
> >this direction to NORC from ICANN Staff?
> >
> >*/Where is the assessment of the risks and benefits of updating
> >the physical addresses of hundreds of millions of political,
> >personal, religious, ethnic and sexual speakers – including
> >dissidents, minorities and those discriminated against by the laws
> >and customs of various regions?/*Where is NORC evaluating the
> >wholesale and massive verification of postal address in the
> >existing gTLD WHOIS databases without such an assessment?How did
> >ICANN Staff come to direct it?
> >
> >
> >The NORC Contractor seems to have jumped from the logical –
> >checking email and phone – to checking physical addresses. But
> >this leap from an open and undecided policy question to a mere
> >implementation issue should be disturbing to everyone in the ICANN
> >Community. What we know from history and the most tragic of recent
> >events is that speech and physical location are a dangerous
> >combination.
> >
> >
> >When individuals armed with automatic rifles wish to express their
> >disagreement with the legal speech of a satirical magazine, they
> >find the location in Parisand kill writers, publishers and
> >cartoonists. When they want to express contempt for those
> >practicing another religion, they bring their guns to kosher
> >grocery stores in Parisand synagogues in Copenhagen. Tracking down
> >and beheading Christian minorities is a horror of daily life in
> >some parts of the world.
> >
> >
> >The UN Declaration of Human Rights, adopted in 1948, states:
> >
> >  * Everyone has the right to freedom of opinion and expression; this
> >    right includes freedom to hold opinions without interference and
> >    to seek, receive and impart information and ideas through any
> >    media and regardless of frontiers.
> >
> >
> >It does not say that everyone must put their address on that
> >speech. Where, as here, the Internet has become the major path of
> >communication for that speech, the requirement of a physical
> >address for every speaker may well violate the requirement of the
> >right to speak and the protection for that expression.
> >
> >
> >Further, the validation of postal addresses represents a major
> >change of policy – one not mandated or requested by the Whois
> >Review Team, the 2013 RAA or by any Policy-Development Team we
> >know of.
> >
> >Who has evaluated the impact and dangers of wholesale adoption of
> >postal address validation of the long-existing gTLD Whois
> >databases– especially in a world that has changed dramatically in
> >the last few years – where entire governments have risen and
> >fallen, where formerly free countries and regions are enslaved by
> >terrorist organizations and a new set of dictators? While
> >proxy/privacy registrations are available, */they are a costly
> >luxury for many and completely unknown to others/*.
> >
> >
> >The mandatory validation of the massive number of postal addresses
> >in the gTLD Whois database – as appears to be the policy proposal
> >buried between methodology and sample sizes in the Contractor’s
> >report -- will result in the dangerous, harmful, even
> >life-threatening exposure of those using their domain names for
> >nothing more than communicating their ideas, concerns, political
> >hopes, and religious meetings via private streams of domain name
> >communications, such as on listservs and email addresses, and more
> >public resources including websites and blogs.
> >
> >
> >No policy we know has ever directed ICANN Staff to instruct a
> >Contractor to engage in massive Postal Address Validation – and no
> >policy development process we know has studied, weighed, debated
> >or valued the enormous impact to speech and expression of going
> >back over 25+ years of domain names registrations to suddenly
> >“correct” the postal address and thereby expose battered women’s
> >shelters, women’s schools in Pakistan, pro-democracy groups,
> >family planning groups and LBGQT locations worldwide.
> >
> >
> >If this is the policy we in ICANN choose to adopt in the future
> >(as we certainly have NOT adopted it already), then it will
> >require enormous amounts of preparation, notice and warning to
> >gTLD domain name
> >registrants on a global scale. Absent that, we know (without doubt
> >or hyperbole) that ICANN will have blood on its hands.
> >
> >Overall, ICANN’s Contractor NORC seems to have jumped into
> >policy-making, not mere implementation.
> >
> >*
> >II. ****Identity Validation – Really? *
> >
> >
> >Buried deep in Appendix B, of the Contractor’s Report, behind
> >“syntactic accuracy” and “operational accuracy” is the explosive
> >issue of “exploring accuracy from an identity perspective” (page
> >45).
> >
> >At no time has ICANN ever held a Policy Development Processes on
> >Identity Validation. Accordingly, where does this guidance from
> >ICANN to its Contractor to explore identity validation
> >implementation come from?For those who attended the public Whois
> >meeting in LA, this issue certainly was not flagged in the
> >discussion; for those who attended the public meeting in
> >Singapore, this issue was introduced and IMMEDIATELY FLAGGED as
> >intensely controversial and divisive.
> >
> >
> >Identity validation of those engaged in freedom of expression,
> >publishing and political discussion is a deeply controversial
> >prospect – and one with heartfelt objection and opposition
> >grounded in history and law. The United States, for example,
> >sought to be free of Englandin part because of the mandatory
> >licensing of its printing presses – and the arrest of all who
> >published objections to actions of the English crown. Pamphlets
> >issued without names and addresses are not just a cultural right
> >in the US, but a constitutional one./McIntyre vs.
> >//Ohio//Elections Commission, 514 //U.S.//334 (US Supreme Court,
> >1995). /
> >
> >
> >A.The GAC asked for a weighing of the risks and benefits
> >
> >We note that the GAC has not issued policy in this area. According
> >to the “Brief Overview” provided by ICANN as introduction to this
> >Contractor Report and this public comment period, the GAC “asked
> >for an assessment of the feasibility, costs and benefits of
> >conducting identity validation as part of the development of the
> >ARS.”
> >
> >
> >Nowhere in this report do we see any assessment of the costs,
> >delays, risks and harms that might be incurred by gTLD
> >Registrants, Registrars and Registries worldwide if identity
> >validation were adopted. Nowhere do we even see an analysis of how
> >identity validation takes places, what happens when a minority
> >seeks to register, or when a speaker must disclose and show her
> >identification as the cost of signing up for a domain name
> >highlighting family planning, women rights, or women’s education
> >in parts of the world not as conducive to these fundamental rights
> >and basic principles. Must she go through her father for this too?
> >
> >
> >B.ICANN has promised a policy making process.
> >
> >In his response to the GAC on this issue, Dr. Crocker noted concerns:
> >
> >The costs of operating the Accuracy Reporting System are largely dependent
> >
> >upon the number of WHOIS records to be examined, as well as the level of
> >
> >validation (syntactic, operational, or identity). For example, the initial
> >
> >responses to the ICANN RFP reveal that identity validation
> >services are both
> >
> >costly and difficult to administer on a global basis. */There may
> >also be data/*
> >
> >*/protection and privacy issues of concern to the community when
> >conducting/*
> >
> >*/extensive identity validation on WHOIS records./*Hence, the costs of
> >
> >completing the development of Phase 3 will be determined based on
> >
> >engagement with the community to identify the appropriate level of
> >identity
> >
> >validation for ICANN to conduct, as well as the costs associated with
> >
> >performing identity validation on a global scale. (https://www.icann.org/en/system/files/correspondence/crocker-to-dryden-02sep14-en.pdf,
> >emphasis added.)
> >
> >
> >As always, policy development must proceed implementation. We call
> >on ICANN to take this discussion out of the recesses of a
> >Contractor report, and into the light of the policy development
> >process.
> >
> >*
> >        III**. Wide Outreach Needed*
> >
> >One thing the Whois Review Team did note in its Final Review is
> >the need for clear and concerted outreach on issues that impact
> >the Whois: “We found great interest in the WHOIS policy among a
> >number of groups that do not traditionally participate in ICANN’s
> >more technical proceedings. They include the law enforcement
> >community, Data Protection Commissioners, and the privacy
> >community more generally.”The Whois Review Team’s recommendation
> >specifically call for active and concerted outreach to these
> >communities of its issue:
> >
> >*/Recommendation 3 - Outreach /*
> >
> >ICANN should ensure that WHOIS policy issues are accompanied by
> >cross-community outreach, including outreach to the communities
> >outside of ICANN with a specific interest in the issues, and an
> >ongoing program for consumer awareness.
> >
> >
> >That has clearly not happened here – when so much of substance is
> >buried so deeply in the back of a report. When will ICANN be
> >undertaking clear, robust global Outreach on these important
> >freedom of expression and privacy issues and implications?
> >
> >*
> >IV.**Finally, let’s Add Policy Staff and Freedom of Expression and
> >Data Protection Expertise*
> >
> >We ask that an ICANN Staff deeply steeped in data protection and
> >freedom of expression laws and rights be brought on to work on the
> >development of these address and identity issues. We understand
> >that ICANN feels previous backgrounds of its staffers do not limit
> >their activities, but the perception and reality of this issue
> >would be considered much more balanced if the ICANN Staffers of
> >the project hailed from an array of backgrounds and had
> >represented multiple sides of this issue in their prior lives.
> >
> >*
> >V.**Conclusion*
> >
> >We can’t bury wholesale physical address checking and the new
> >concept of identity validation in the back of a Contractor Report.
> >These are NOT policies examined or endorsed by the whole of the
> >ICANN or even the GNSO communities, nor policies evaluated yet by
> >the whole of the ICANN Community. The risks and benefits must be
> >assessed before the implementation is planned.
> >
> >
> >Signed,
> >
> >
> >MEMBERS OF THE NONCOMMERCIALS STAKEHOLDERS GROUP
> >[name, and/or organization, and/or country]
> >
>