Dear All,
Attached please find an important set of comments. They are to the Whois
Accuracy Pilot Study Report – by a group of researchers at the
University of Chicago called NORC. Buried in this report turns out to be
a many issues important to us in the Whois domain name registration
databases – including the question of postal addresses (should we be
validating and publishing the physical addresses of political dissident
groups, religious minorities, girls’ schools in areas where many do not
like girls education?Is there a danger to be evaluated *before* we
undertake this new policy?)
Identity Validation is a very open question as well, yet NORC seems
ready to start work in this area. I have written a set of questions that
say STOP – and let’s consider the policy implications of these acts
before we develop plans to put them into effect. The comments are below
(with a full copy attached).
*They are due tonight!If you can sign on, please do. Please let me know
your name and/or organization and/or country.*
**
Great tx to Stephanie Perrin for editing! Here are some thoughts of
members on our Policy Committee:
-Kathy’s drafted, what I believe to be, an excellent comment in
response. – Amr Elsadr
-Great job Kathy!! I support this document. -- Stephanie Perrin
-Feel free to add my name as endorsing the document – Ed Morris
Best and tx!!
Kathy (Kleiman)
*
WHOIS Accuracy Pilot Study Report*
Burying Extremely Divisive Policy Questions in a Technical
Implementation Report Written by an ICANN Contractor is Improper and, in
this Case, Dangerous
These are comments written in response to the WHOIS Accuracy Pilot Study
Report. Buried in this Report – which purports to be an implementation
report of an ICANN Contractor (NORC/University of Chicago) -- are some
of the most controversial and unsettled issues in ICANN policy
discussions and history. These issues are the subject of deep and bitter
divides over many years of ICANN work, the subject of interest across
the world, and the focus of a series of explosive comments in
Singaporewhen the ICANN Community began to realize what was happening.
It is inappropriate in the extreme, for ICANN policy issues to be buried
in a ICANN Contractor’s implementation report, and even further, deep in
its Appendix B,/Next Steps for the Development of the WHOIS Accuracy
Report System (ARS). /This follows pages of study “methods and approach”
language and sample design which are obscure even to those who follow
Whois policy issues on a regular basis.We submit that after the many
years of heated controversy over this topic, it is disingenuous at the
very least to allow this to happen policy debate to continue its
development in this manner.
We are deeply concerned that ICANN Staff has not flagged this Report, or
this Comment Proceeding, for what it appears to be – a process to seek
permission from the ICANN Community for the:
a)*wholesale checking of the physical addresses of online speakers
across the world (whether using domain names for political speech,
personal speech, or religious, ethnic or sexual minority
expression)*thus creating an unprecedented inextricable link between a
speaker and her physical location, and
b)*the**radical new concept of Identity Validation for each and every
domain name Registrant to the ICANN Community, *a concept with
inconceivable implications for political, ethnic and religious
minorities worldwide, as well as entrepreneurs, emerging organizations
and those operating today without identities who seek to create them.
We respectfully add the issues below to this debate.
*I.**ICANN has never been given a mandate for Address Checking on a
Massive Scale*
Although the Contractor’s Report seems to suggest that the ICANN
Community has approved the massive checking of postal addresses in the
existing gTLD Whois databases, that is not the case.
A.The Whois Review Team Final Report set the standard of
“contactability” -- reaching the domain name registrant with questions
and concerns – not absolute accuracy of all data in the whois
The Current NORC Study (2014) and its accompanying ICANN Staff Summary
accompanying this NORC’s Pilot Report misrepresent the WHOIS Policy
Review Team Final Report and its Recommendations. The goal of the Whois
Review Team was “Contactibility” and “Reachability” of the Registrant.
To this end WHOIS Policy Review Team Final Report looked “holistically”
at the Whois record and did not seek the accuracy of each and every
element of a Registrant’s Whois record.
Specifically, the NORC Report of 2009/2010 (an earlier report called the
NORC Data Accuracy Study) created five categories for ranking the data
quality of a Whois record: *Full Failure* (overwhelmingly inaccurate);
*Substantial Failure* (most data inaccurate); *Limited Failure* (data to
some degree present and considered useful); *Minimal Failure* (may
benefit from additional information, but data provided is accurate) and
*No Failure *(data complete and accurate).
*/
The Whois Review Team called for ICANN to significantly reduce the
number of “Full Failure” and “Substantial Failure” Whois Records ---
Avoidance of “No Failure” was not a goal at all./*As shared many times
in meetings of the Whois Review Team and members of the ICANN Community,
including the GAC, what the WHOIS Review Team recommended was that Whois
information be sufficiently available and accurate for the Registrant to
be reached –for legitimate technical, administrative and other
questions: [Recommendation] “*6. ICANN
shouldtakeappropriatemeasurestoreduce thenumberofWHOIS
registrationsthatfallintotheaccuracygroupsSubstantial Failureand Full
Failure(asdefinedbytheNORCDataAccuracyStudy,2009/10)by50%within12months
andby50%againoverthefollowing12months.*”
Thus, for the Whois Review Team, “No Failure” (full accuracy of all
fields) was */not the goal/*;“contactability” and “reachability” of
Registrants was.
B. 2013 Registrar Accreditation Agreement
The WHOIS Review Team Final Report noted that efforts were already
underway to improve accuracy and contactibility of Registrants in the
then-pending “direct negotiations with Registrars on revisions to the
RAA.” These negotiations resulted in the 2013 RAA which furthered the
goal of reaching Registrants through verified phone numbers and email
addresses:
1.f : “Verify:
i.the email address of the Registered Name Holder (and, if different,
the Account Holder) by sending an email requiring an affirmative
response through a tool-based authentication method such as providing a
unique code that must be returned in a manner designated by the
Registrar, or
ii.the telephone number of the Registered Name Holder (and, if
different, the Account Holder) by either (A) calling or sending an SMS
to the Registered Name Holder's telephone number providing a unique code
that must be returned in a manner designated by the Registrar, or (B)
calling the Registered Name Holder's telephone number and requiring the
Registered Name Holder to provide a unique code that was sent to the
Registered Name Holder via web, email or postal mail.
As with the Final Report of the Whois Review Team, the goal of the 2013
RAA was “contactability” and “reachability” of the domain name
Registrant for technical or administrative questions by third parties.
C.Where Did the “No Failure” Standard Come From for NORC – the
Validation and Verification of Each and Every Whois Element Without
Policy Processes or Assessments of the Risks and Harms?
Consistent with the Whois Review Team Final Report and the 2013 RAA, we
can understand the NORC methodology and approach to checking email
addresses and telephone numbers – but postal address validation?Where is
the underlying GNSO Policy driving this direction to NORC from ICANN Staff?
*/Where is the assessment of the risks and benefits of updating the
physical addresses of hundreds of millions of political, personal,
religious, ethnic and sexual speakers – including dissidents, minorities
and those discriminated against by the laws and customs of various
regions?/*Where is NORC evaluating the wholesale and massive
verification of postal address in the existing gTLD WHOIS databases
without such an assessment?How did ICANN Staff come to direct it?
The NORC Contractor seems to have jumped from the logical – checking
email and phone – to checking physical addresses. But this leap from an
open and undecided policy question to a mere implementation issue should
be disturbing to everyone in the ICANN Community. What we know from
history and the most tragic of recent events is that speech and physical
location are a dangerous combination.
When individuals armed with automatic rifles wish to express their
disagreement with the legal speech of a satirical magazine, they find
the location in Parisand kill writers, publishers and cartoonists. When
they want to express contempt for those practicing another religion,
they bring their guns to kosher grocery stores in Parisand synagogues in
Copenhagen. Tracking down and beheading Christian minorities is a horror
of daily life in some parts of the world.
The UN Declaration of Human Rights, adopted in 1948, states:
* Everyone has the right to freedom of opinion and expression; this
right includes freedom to hold opinions without interference and to
seek, receive and impart information and ideas through any media and
regardless of frontiers.
It does not say that everyone must put their address on that speech.
Where, as here, the Internet has become the major path of communication
for that speech, the requirement of a physical address for every speaker
may well violate the requirement of the right to speak and the
protection for that expression.
Further, the validation of postal addresses represents a major change of
policy – one not mandated or requested by the Whois Review Team, the
2013 RAA or by any Policy-Development Team we know of.
Who has evaluated the impact and dangers of wholesale adoption of postal
address validation of the long-existing gTLD Whois databases– especially
in a world that has changed dramatically in the last few years – where
entire governments have risen and fallen, where formerly free countries
and regions are enslaved by terrorist organizations and a new set of
dictators? While proxy/privacy registrations are available, */they are a
costly luxury for many and completely unknown to others/*.
The mandatory validation of the massive number of postal addresses in
the gTLD Whois database – as appears to be the policy proposal buried
between methodology and sample sizes in the Contractor’s report -- will
result in the dangerous, harmful, even life-threatening exposure of
those using their domain names for nothing more than communicating their
ideas, concerns, political hopes, and religious meetings via private
streams of domain name communications, such as on listservs and email
addresses, and more public resources including websites and blogs.
No policy we know has ever directed ICANN Staff to instruct a Contractor
to engage in massive Postal Address Validation – and no policy
development process we know has studied, weighed, debated or valued the
enormous impact to speech and expression of going back over 25+ years of
domain names registrations to suddenly “correct” the postal address and
thereby expose battered women’s shelters, women’s schools in Pakistan,
pro-democracy groups, family planning groups and LBGQT locations worldwide.
If this is the policy we in ICANN choose to adopt in the future (as we
certainly have NOT adopted it already), then it will require enormous
amounts of preparation, notice and warning to gTLD domain name
registrants on a global scale. Absent that, we know (without doubt or
hyperbole) that ICANN will have blood on its hands.
Overall, ICANN’s Contractor NORC seems to have jumped into
policy-making, not mere implementation.
*
II. ****Identity Validation – Really? *
Buried deep in Appendix B, of the Contractor’s Report, behind “syntactic
accuracy” and “operational accuracy” is the explosive issue of
“exploring accuracy from an identity perspective” (page 45).
At no time has ICANN ever held a Policy Development Processes on
Identity Validation. Accordingly, where does this guidance from ICANN to
its Contractor to explore identity validation implementation come
from?For those who attended the public Whois meeting in LA, this issue
certainly was not flagged in the discussion; for those who attended the
public meeting in Singapore, this issue was introduced and IMMEDIATELY
FLAGGED as intensely controversial and divisive.
Identity validation of those engaged in freedom of expression,
publishing and political discussion is a deeply controversial prospect –
and one with heartfelt objection and opposition grounded in history and
law. The United States, for example, sought to be free of Englandin part
because of the mandatory licensing of its printing presses – and the
arrest of all who published objections to actions of the English crown.
Pamphlets issued without names and addresses are not just a cultural
right in the US, but a constitutional one./McIntyre vs.
//Ohio//Elections Commission, 514 //U.S.//334 (US Supreme Court, 1995). /
A.The GAC asked for a weighing of the risks and benefits
We note that the GAC has not issued policy in this area. According to
the “Brief Overview” provided by ICANN as introduction to this
Contractor Report and this public comment period, the GAC “asked for an
assessment of the feasibility, costs and benefits of conducting identity
validation as part of the development of the ARS.”
Nowhere in this report do we see any assessment of the costs, delays,
risks and harms that might be incurred by gTLD Registrants, Registrars
and Registries worldwide if identity validation were adopted. Nowhere do
we even see an analysis of how identity validation takes places, what
happens when a minority seeks to register, or when a speaker must
disclose and show her identification as the cost of signing up for a
domain name highlighting family planning, women rights, or women’s
education in parts of the world not as conducive to these fundamental
rights and basic principles. Must she go through her father for this too?
B.ICANN has promised a policy making process.
In his response to the GAC on this issue, Dr. Crocker noted concerns:
The costs of operating the Accuracy Reporting System are largely dependent
upon the number of WHOIS records to be examined, as well as the level of
validation (syntactic, operational, or identity). For example, the initial
responses to the ICANN RFP reveal that identity validation services are both
costly and difficult to administer on a global basis. */There may also
be data/*
*/protection and privacy issues of concern to the community when
conducting/*
*/extensive identity validation on WHOIS records./*Hence, the costs of
completing the development of Phase 3 will be determined based on
engagement with the community to identify the appropriate level of identity
validation for ICANN to conduct, as well as the costs associated with
performing identity validation on a global scale.
(https://www.icann.org/en/system/files/correspondence/crocker-to-dryden-02sep14-en.pdf,
emphasis added.)
As always, policy development must proceed implementation. We call on
ICANN to take this discussion out of the recesses of a Contractor
report, and into the light of the policy development process.
*
III**. Wide Outreach Needed*
One thing the Whois Review Team did note in its Final Review is the need
for clear and concerted outreach on issues that impact the Whois: “We
found great interest in the WHOIS policy among a number of groups that
do not traditionally participate in ICANN’s more technical proceedings.
They include the law enforcement community, Data Protection
Commissioners, and the privacy community more generally.”The Whois
Review Team’s recommendation specifically call for active and concerted
outreach to these communities of its issue:
*/Recommendation 3 - Outreach /*
ICANN should ensure that WHOIS policy issues are accompanied by
cross-community outreach, including outreach to the communities outside
of ICANN with a specific interest in the issues, and an ongoing program
for consumer awareness.
That has clearly not happened here – when so much of substance is buried
so deeply in the back of a report. When will ICANN be undertaking clear,
robust global Outreach on these important freedom of expression and
privacy issues and implications?
*
IV.**Finally, let’s Add Policy Staff and Freedom of Expression and Data
Protection Expertise*
We ask that an ICANN Staff deeply steeped in data protection and freedom
of expression laws and rights be brought on to work on the development
of these address and identity issues. We understand that ICANN feels
previous backgrounds of its staffers do not limit their activities, but
the perception and reality of this issue would be considered much more
balanced if the ICANN Staffers of the project hailed from an array of
backgrounds and had represented multiple sides of this issue in their
prior lives.
*
V.**Conclusion*
We can’t bury wholesale physical address checking and the new concept of
identity validation in the back of a Contractor Report. These are NOT
policies examined or endorsed by the whole of the ICANN or even the GNSO
communities, nor policies evaluated yet by the whole of the ICANN
Community. The risks and benefits must be assessed before the
implementation is planned.
Signed,
MEMBERS OF THE NONCOMMERCIALS STAKEHOLDERS GROUP
[name, and/or organization, and/or country]