Dear All, Attached please find an
important set of comments. They are
to the Whois Accuracy Pilot Study Report – by a group of
researchers at the Identity Validation is a
very open question as well, yet NORC
seems ready to start work in this area. I have written a set
of questions
that say STOP – and let’s consider the policy implications
of these acts before
we develop plans to put them into effect. The comments are
below (with a full
copy attached). They are due
tonight! If you
can sign on, please do. Please let me know your name
and/or organization and/or country. Great tx to Stephanie Perrin
for editing! Here are some
thoughts of members on our Policy Committee: -
Kathy’s drafted, what I
believe to be, an excellent
comment in response. – Amr Elsadr -
Great job Kathy!! I support
this document.
-- Stephanie Perrin -
Feel free to add my name as
endorsing the document – Ed
Morris Best
and tx!!
Kathy (Kleiman)
WHOIS Accuracy Pilot
Study Report
Burying
Extremely Divisive Policy Questions in a Technical
Implementation Report
Written by an ICANN Contractor is Improper and, in this Case,
Dangerous
These
are comments written in response to the WHOIS Accuracy Pilot
Study Report. Buried
in this Report – which purports to be an
implementation report of an ICANN Contractor (NORC/University
of Chicago) --
are some of the most controversial and unsettled issues in
ICANN policy discussions
and history. These issues are the subject of deep and bitter
divides over many
years of ICANN work, the subject of interest across the world,
and the focus of
a series of explosive comments in
It
is inappropriate in the extreme, for ICANN policy issues to be
buried in a ICANN
Contractor’s implementation report, and even further, deep in
its Appendix B,
Next Steps for the Development of the WHOIS Accuracy Report
System (ARS). This
follows pages of study “methods and
approach” language and sample design which are obscure even to
those who follow
Whois policy issues on a regular basis.
We submit that after the many years of heated
controversy over this
topic, it is disingenuous at the very least to allow this to
happen policy
debate to continue its development in this manner.
We
are deeply concerned that ICANN Staff has not flagged this
Report, or this Comment
Proceeding, for what it appears to be – a process to seek
permission from the
ICANN Community for the:
a)
wholesale checking of
the physical addresses of online speakers across the world
(whether using
domain names for political speech, personal speech, or
religious, ethnic or
sexual minority expression) thus creating an unprecedented
inextricable link between a
speaker and her physical location, and
b)
the radical new concept of Identity Validation for each
and every domain
name Registrant to the ICANN Community, a concept with
inconceivable
implications for political, ethnic and religious minorities
worldwide, as well
as entrepreneurs, emerging organizations and those operating
today without
identities who seek to create them.
We respectfully add the issues
below to this debate.
I.
ICANN has never been
given a mandate for Address Checking on a Massive Scale
Although
the Contractor’s Report seems to suggest that the ICANN
Community has approved
the massive checking of postal addresses in the existing gTLD
Whois databases,
that is not the case.
A.
The Whois Review Team
Final Report set the standard of “contactability” -- reaching
the domain name registrant
with questions and concerns – not absolute accuracy of all
data in the whois
The
Current NORC Study (2014) and its accompanying ICANN Staff
Summary accompanying
this NORC’s Pilot Report misrepresent the WHOIS Policy Review
Team Final Report
and its Recommendations. The
goal of the
Whois Review Team was “Contactibility” and “Reachability” of
the Registrant. To
this end WHOIS Policy Review Team Final Report looked
“holistically” at the
Whois record and did not seek the accuracy of each and every
element of a
Registrant’s Whois record.
Specifically,
the NORC Report of 2009/2010 (an earlier report called the
NORC Data Accuracy
Study) created five categories for ranking the data quality of
a Whois record: Full
Failure (overwhelmingly
inaccurate); Substantial
Failure
(most data inaccurate); Limited Failure
(data to some degree present and considered useful); Minimal Failure (may benefit from additional
information, but data
provided is accurate) and No Failure (data
complete and accurate).
The Whois
Review Team called for ICANN to significantly reduce the
number of “Full
Failure” and “Substantial Failure” Whois Records ---
Avoidance of “No Failure”
was not a goal at all. As shared many times in
meetings of the Whois Review Team and members of the ICANN
Community, including
the GAC, what the WHOIS Review Team recommended was that Whois
information be
sufficiently available and accurate for the Registrant to be
reached –for legitimate
technical, administrative and other questions:
[Recommendation] “6. ICANN
should take
appropriate measures to reduce the number of WHOIS registrations that fall into the accuracy groups Substantial Failure and
Full Failure (as defined
by the NORC Data Accuracy
Study, 2009/10)
by 50% within 12 months
and by 50% again over the following
12 months.”
Thus,
for the Whois Review Team, “No Failure” (full accuracy of all
fields) was not
the goal; “contactability”
and
“reachability” of Registrants was.
B. 2013 Registrar Accreditation Agreement
The
WHOIS Review Team Final Report noted that efforts were already
underway to
improve accuracy and contactibility of Registrants in the
then-pending “direct
negotiations with Registrars on revisions to the RAA.” These
negotiations
resulted in the 2013 RAA which furthered the goal of reaching
Registrants
through verified phone numbers and email addresses:
1.f :
“Verify:
i.
the email address of the
Registered Name Holder
(and, if different, the Account Holder) by sending an email
requiring an
affirmative response through a tool-based authentication method
such as
providing a unique code that must be returned in a manner
designated by the
Registrar, or
ii.
the telephone number of
the Registered Name
Holder (and, if different, the Account Holder) by either (A)
calling or sending
an SMS to the Registered Name Holder's telephone number
providing a unique code
that must be returned in a manner designated by the Registrar,
or (B) calling
the Registered Name Holder's telephone number and requiring the
Registered Name
Holder to provide a unique code that was sent to the Registered
Name Holder via
web, email or postal mail.
As
with the Final Report of the Whois Review Team, the goal of
the 2013 RAA was
“contactability” and “reachability” of the domain name
Registrant for technical
or administrative questions by third parties.
C. Where Did the “No
Failure” Standard Come From for NORC – the Validation and
Verification of Each
and Every Whois Element Without Policy Processes or
Assessments of the Risks
and Harms?
Consistent
with the Whois Review Team Final Report and the 2013 RAA, we
can understand the
NORC methodology and approach to checking email addresses and
telephone numbers
– but postal address validation?
Where
is the underlying GNSO Policy driving this direction to NORC
from ICANN Staff?
Where is
the assessment of the risks and benefits of updating the
physical addresses of
hundreds of millions of political, personal, religious,
ethnic and sexual
speakers – including dissidents, minorities and those
discriminated against by
the laws and customs of various regions? Where
is NORC evaluating the wholesale and massive verification of
postal address in
the existing gTLD WHOIS databases without such an assessment? How did ICANN Staff come
to direct it?
The
NORC Contractor seems to have jumped from the logical –
checking email and
phone – to checking physical addresses. But
this leap from an open and undecided policy question to a mere
implementation
issue should be disturbing to everyone in the ICANN Community.
What we know
from history and the most tragic of recent events is that
speech and physical
location are a dangerous combination.
When
individuals armed with automatic rifles wish to express their
disagreement with
the legal speech of a satirical magazine, they find the
location in
The UN Declaration of Human Rights, adopted in 1948, states:
It does not say that everyone must put their address on that
speech. Where, as here, the Internet has become the major path
of communication
for that speech, the requirement of a physical address for
every speaker may
well violate the requirement of the right to speak and the
protection for that
expression.
Further, the validation of postal addresses represents a
major change of policy – one not mandated or requested by the
Whois Review
Team, the 2013 RAA or by any Policy-Development Team we know
of.
Who has evaluated the impact and
dangers of wholesale
adoption of postal address validation of the long-existing
gTLD Whois databases–
especially in a world that has changed dramatically in the
last few years –
where entire governments have risen and fallen, where formerly
free countries
and regions are enslaved by terrorist organizations and a new
set of dictators?
While proxy/privacy registrations are available, they are a
costly luxury for many
and completely unknown to others.
The mandatory validation of the massive number of postal
addresses in the gTLD Whois database – as appears to be the
policy proposal
buried between methodology and sample sizes in the
Contractor’s report -- will
result in the dangerous, harmful, even life-threatening
exposure of those using
their domain names for nothing more than communicating their
ideas, concerns,
political hopes, and religious meetings via private streams of
domain name
communications, such as on listservs and email addresses, and
more public
resources including websites and blogs.
No policy we know has ever directed ICANN Staff to instruct
a Contractor to engage in massive Postal Address Validation –
and no policy
development process we know has studied, weighed, debated or
valued the
enormous impact to speech and expression of going back over
25+ years of domain
names registrations to suddenly “correct” the postal address
and thereby expose
battered women’s shelters, women’s schools in Pakistan,
pro-democracy groups,
family planning groups and LBGQT locations worldwide.
If this is the policy we in ICANN choose to adopt in the
future (as we certainly have NOT adopted it already), then it
will require
enormous amounts of preparation, notice and warning to gTLD
domain name
registrants on a global scale. Absent
that,
we know (without doubt or hyperbole) that ICANN will have
blood on its
hands.
Overall, ICANN’s Contractor NORC
seems to have jumped into policy-making,
not mere implementation.
II.
Identity Validation
– Really?
Buried deep in Appendix B, of the Contractor’s
Report, behind “syntactic accuracy” and “operational accuracy”
is the explosive
issue of “exploring accuracy from an identity perspective”
(page 45).
At no time has ICANN
ever held a Policy
Development Processes on Identity Validation. Accordingly,
where does this
guidance from ICANN to its Contractor to explore identity
validation implementation
come from? For those
who attended the public
Whois meeting in LA, this issue certainly was not flagged in
the discussion;
for those who attended the public meeting in Singapore, this
issue was
introduced and IMMEDIATELY FLAGGED as intensely controversial
and divisive.
Identity
validation of those engaged in freedom of expression,
publishing and political
discussion is a deeply controversial prospect – and one with
heartfelt
objection and opposition grounded in history and law. The
A.
The GAC asked for a
weighing of the risks and benefits
We
note that the GAC has not issued policy in this area. According to the “Brief
Overview” provided by
ICANN as introduction to this Contractor Report and this
public comment period,
the GAC “asked for an assessment of the feasibility, costs and
benefits of
conducting identity validation as part of the development of
the ARS.”
Nowhere
in this report do we see any assessment of the costs, delays,
risks and harms
that might be incurred by gTLD Registrants, Registrars and
Registries worldwide
if identity validation were adopted. Nowhere do we even see an
analysis of how
identity validation takes places, what happens when a minority
seeks to
register, or when a speaker must disclose and show her
identification as the
cost of signing up for a domain name highlighting family
planning, women
rights, or women’s education in parts of the world not as
conducive to these
fundamental rights and basic principles. Must she go through her
father for this too?
B.
ICANN has promised a
policy making process.
In
his response to the GAC on this issue, Dr. Crocker noted
concerns:
The
costs of operating the Accuracy Reporting System are largely
dependent
upon the number of WHOIS
records to be examined, as well as the level of
validation (syntactic,
operational, or identity). For example, the initial
responses to the ICANN
RFP reveal that identity validation services are both
costly and difficult to
administer on a global basis. There may also be data
protection and
privacy issues of concern to the
community when conducting
extensive
identity validation on WHOIS records. Hence, the costs of
completing the
development of Phase 3 will be determined based on
engagement with the
community to identify the appropriate level of identity
validation for ICANN to
conduct, as well as the costs associated with
performing identity
validation on a global scale. (https://www.icann.org/en/system/files/correspondence/crocker-to-dryden-02sep14-en.pdf, emphasis added.)
As
always, policy development must proceed implementation. We
call on ICANN to
take this discussion out of the recesses of a Contractor
report, and into the
light of the policy development process.
III
Recommendation
3 - Outreach
ICANN
should ensure that WHOIS policy issues are accompanied by
cross-community
outreach, including outreach to the communities outside of
ICANN with a
specific interest in the issues, and an ongoing program for
consumer awareness.
That
has clearly not happened here – when so much of substance is
buried so deeply
in the back of a report. When will ICANN be undertaking clear,
robust global
Outreach on these important freedom of expression and privacy
issues and implications?
IV.
Finally, let’s Add
Policy Staff and Freedom of Expression and Data Protection
Expertise
We
ask that an ICANN Staff deeply steeped in data protection and
freedom of
expression laws and rights be brought on to work on the
development of these
address and identity issues. We understand that ICANN feels
previous
backgrounds of its staffers do not limit their activities, but
the perception
and reality of this issue would be considered much more
balanced if the ICANN
Staffers of the project hailed from an array of backgrounds
and had represented
multiple sides of this issue in their prior lives.
V.
Conclusion
We
can’t bury wholesale physical address checking and the new
concept of identity
validation in the back of a Contractor Report. These are NOT policies
examined or endorsed by
the whole of the ICANN or even the GNSO communities, nor
policies evaluated yet
by the whole of the ICANN Community. The risks and benefits
must be assessed
before the implementation is planned.
Signed,
MEMBERS
OF THE NONCOMMERCIALS STAKEHOLDERS GROUP
[name, and/or organization, and/or country]