Please add my name also. Good work. Nicolas Adam On 13/03/2015 2:11 PM, Kathy Kleiman wrote: > > > Dear All, > > Attached please find an important set of comments. They are to the > Whois Accuracy Pilot Study Report – by a group of researchers at the > University of Chicago called NORC. Buried in this report turns out to > be a many issues important to us in the Whois domain name registration > databases – including the question of postal addresses (should we be > validating and publishing the physical addresses of political > dissident groups, religious minorities, girls’ schools in areas where > many do not like girls education?Is there a danger to be evaluated > *before* we undertake this new policy?) > > Identity Validation is a very open question as well, yet NORC seems > ready to start work in this area. I have written a set of questions > that say STOP – and let’s consider the policy implications of these > acts before we develop plans to put them into effect. The comments are > below (with a full copy attached). > > *They are due tonight!If you can sign on, please do. Please let me > know your name and/or organization and/or country.* > > ** > > Great tx to Stephanie Perrin for editing! Here are some thoughts of > members on our Policy Committee: > > -Kathy’s drafted, what I believe to be, an excellent comment in > response. – Amr Elsadr > > -Great job Kathy!! I support this document. -- Stephanie Perrin > > -Feel free to add my name as endorsing the document – Ed Morris > > Best and tx!! > Kathy (Kleiman) > > * > WHOIS Accuracy Pilot Study Report* > > Burying Extremely Divisive Policy Questions in a Technical > Implementation Report Written by an ICANN Contractor is Improper and, > in this Case, Dangerous > > > These are comments written in response to the WHOIS Accuracy Pilot > Study Report. Buried in this Report – which purports to be an > implementation report of an ICANN Contractor (NORC/University of > Chicago) -- are some of the most controversial and unsettled issues in > ICANN policy discussions and history. These issues are the subject of > deep and bitter divides over many years of ICANN work, the subject of > interest across the world, and the focus of a series of explosive > comments in Singaporewhen the ICANN Community began to realize what > was happening. > > > It is inappropriate in the extreme, for ICANN policy issues to be > buried in a ICANN Contractor’s implementation report, and even > further, deep in its Appendix B,/Next Steps for the Development of the > WHOIS Accuracy Report System (ARS). /This follows pages of study > “methods and approach” language and sample design which are obscure > even to those who follow Whois policy issues on a regular basis.We > submit that after the many years of heated controversy over this > topic, it is disingenuous at the very least to allow this to happen > policy debate to continue its development in this manner. > > We are deeply concerned that ICANN Staff has not flagged this Report, > or this Comment Proceeding, for what it appears to be – a process to > seek permission from the ICANN Community for the: > > a)*wholesale checking of the physical addresses of online speakers > across the world (whether using domain names for political speech, > personal speech, or religious, ethnic or sexual minority > expression)*thus creating an unprecedented inextricable link between a > speaker and her physical location, and > > b)*the**radical new concept of Identity Validation for each and every > domain name Registrant to the ICANN Community, *a concept with > inconceivable implications for political, ethnic and religious > minorities worldwide, as well as entrepreneurs, emerging organizations > and those operating today without identities who seek to create them. > > We respectfully add the issues below to this debate. > > *I.**ICANN has never been given a mandate for Address Checking on a > Massive Scale* > > Although the Contractor’s Report seems to suggest that the ICANN > Community has approved the massive checking of postal addresses in the > existing gTLD Whois databases, that is not the case. > > > A.The Whois Review Team Final Report set the standard of > “contactability” -- reaching the domain name registrant with questions > and concerns – not absolute accuracy of all data in the whois > > The Current NORC Study (2014) and its accompanying ICANN Staff Summary > accompanying this NORC’s Pilot Report misrepresent the WHOIS Policy > Review Team Final Report and its Recommendations. The goal of the > Whois Review Team was “Contactibility” and “Reachability” of the > Registrant. To this end WHOIS Policy Review Team Final Report looked > “holistically” at the Whois record and did not seek the accuracy of > each and every element of a Registrant’s Whois record. > > > Specifically, the NORC Report of 2009/2010 (an earlier report called > the NORC Data Accuracy Study) created five categories for ranking the > data quality of a Whois record: *Full Failure* (overwhelmingly > inaccurate); *Substantial Failure* (most data inaccurate); *Limited > Failure* (data to some degree present and considered useful); *Minimal > Failure* (may benefit from additional information, but data provided > is accurate) and *No Failure *(data complete and accurate). > > */ > The Whois Review Team called for ICANN to significantly reduce the > number of “Full Failure” and “Substantial Failure” Whois Records --- > Avoidance of “No Failure” was not a goal at all./*As shared many times > in meetings of the Whois Review Team and members of the ICANN > Community, including the GAC, what the WHOIS Review Team recommended > was that Whois information be sufficiently available and accurate for > the Registrant to be reached –for legitimate technical, administrative > and other questions: [Recommendation] “*6. ICANN > shouldtakeappropriatemeasurestoreduce thenumberofWHOIS > registrationsthatfallintotheaccuracygroupsSubstantial Failureand Full > Failure(asdefinedbytheNORCDataAccuracyStudy,2009/10)by50%within12months andby50%againoverthefollowing12months.*” > > > Thus, for the Whois Review Team, “No Failure” (full accuracy of all > fields) was */not the goal/*;“contactability” and “reachability” of > Registrants was. > > > B. 2013 Registrar Accreditation Agreement > > > The WHOIS Review Team Final Report noted that efforts were already > underway to improve accuracy and contactibility of Registrants in the > then-pending “direct negotiations with Registrars on revisions to the > RAA.” These negotiations resulted in the 2013 RAA which furthered the > goal of reaching Registrants through verified phone numbers and email > addresses: > > 1.f : “Verify: > > i.the email address of the Registered Name Holder (and, if different, > the Account Holder) by sending an email requiring an affirmative > response through a tool-based authentication method such as providing > a unique code that must be returned in a manner designated by the > Registrar, or > > ii.the telephone number of the Registered Name Holder (and, if > different, the Account Holder) by either (A) calling or sending an SMS > to the Registered Name Holder's telephone number providing a unique > code that must be returned in a manner designated by the Registrar, or > (B) calling the Registered Name Holder's telephone number and > requiring the Registered Name Holder to provide a unique code that was > sent to the Registered Name Holder via web, email or postal mail. > > As with the Final Report of the Whois Review Team, the goal of the > 2013 RAA was “contactability” and “reachability” of the domain name > Registrant for technical or administrative questions by third parties. > > C.Where Did the “No Failure” Standard Come From for NORC – the > Validation and Verification of Each and Every Whois Element Without > Policy Processes or Assessments of the Risks and Harms? > > Consistent with the Whois Review Team Final Report and the 2013 RAA, > we can understand the NORC methodology and approach to checking email > addresses and telephone numbers – but postal address validation?Where > is the underlying GNSO Policy driving this direction to NORC from > ICANN Staff? > > */Where is the assessment of the risks and benefits of updating the > physical addresses of hundreds of millions of political, personal, > religious, ethnic and sexual speakers – including dissidents, > minorities and those discriminated against by the laws and customs of > various regions?/*Where is NORC evaluating the wholesale and massive > verification of postal address in the existing gTLD WHOIS databases > without such an assessment?How did ICANN Staff come to direct it? > > > The NORC Contractor seems to have jumped from the logical – checking > email and phone – to checking physical addresses. But this leap from > an open and undecided policy question to a mere implementation issue > should be disturbing to everyone in the ICANN Community. What we know > from history and the most tragic of recent events is that speech and > physical location are a dangerous combination. > > > When individuals armed with automatic rifles wish to express their > disagreement with the legal speech of a satirical magazine, they find > the location in Parisand kill writers, publishers and cartoonists. > When they want to express contempt for those practicing another > religion, they bring their guns to kosher grocery stores in Parisand > synagogues in Copenhagen. Tracking down and beheading Christian > minorities is a horror of daily life in some parts of the world. > > > The UN Declaration of Human Rights, adopted in 1948, states: > > * Everyone has the right to freedom of opinion and expression; this > right includes freedom to hold opinions without interference and > to seek, receive and impart information and ideas through any > media and regardless of frontiers. > > > It does not say that everyone must put their address on that speech. > Where, as here, the Internet has become the major path of > communication for that speech, the requirement of a physical address > for every speaker may well violate the requirement of the right to > speak and the protection for that expression. > > > Further, the validation of postal addresses represents a major change > of policy – one not mandated or requested by the Whois Review Team, > the 2013 RAA or by any Policy-Development Team we know of. > > Who has evaluated the impact and dangers of wholesale adoption of > postal address validation of the long-existing gTLD Whois databases– > especially in a world that has changed dramatically in the last few > years – where entire governments have risen and fallen, where formerly > free countries and regions are enslaved by terrorist organizations and > a new set of dictators? While proxy/privacy registrations are > available, */they are a costly luxury for many and completely unknown > to others/*. > > > The mandatory validation of the massive number of postal addresses in > the gTLD Whois database – as appears to be the policy proposal buried > between methodology and sample sizes in the Contractor’s report -- > will result in the dangerous, harmful, even life-threatening exposure > of those using their domain names for nothing more than communicating > their ideas, concerns, political hopes, and religious meetings via > private streams of domain name communications, such as on listservs > and email addresses, and more public resources including websites and > blogs. > > > No policy we know has ever directed ICANN Staff to instruct a > Contractor to engage in massive Postal Address Validation – and no > policy development process we know has studied, weighed, debated or > valued the enormous impact to speech and expression of going back over > 25+ years of domain names registrations to suddenly “correct” the > postal address and thereby expose battered women’s shelters, women’s > schools in Pakistan, pro-democracy groups, family planning groups and > LBGQT locations worldwide. > > > If this is the policy we in ICANN choose to adopt in the future (as we > certainly have NOT adopted it already), then it will require enormous > amounts of preparation, notice and warning to gTLD domain name > registrants on a global scale. Absent that, we know (without doubt or > hyperbole) that ICANN will have blood on its hands. > > Overall, ICANN’s Contractor NORC seems to have jumped into > policy-making, not mere implementation. > > * > II. ****Identity Validation – Really? * > > > Buried deep in Appendix B, of the Contractor’s Report, behind > “syntactic accuracy” and “operational accuracy” is the explosive issue > of “exploring accuracy from an identity perspective” (page 45). > > At no time has ICANN ever held a Policy Development Processes on > Identity Validation. Accordingly, where does this guidance from ICANN > to its Contractor to explore identity validation implementation come > from?For those who attended the public Whois meeting in LA, this issue > certainly was not flagged in the discussion; for those who attended > the public meeting in Singapore, this issue was introduced and > IMMEDIATELY FLAGGED as intensely controversial and divisive. > > > Identity validation of those engaged in freedom of expression, > publishing and political discussion is a deeply controversial prospect > – and one with heartfelt objection and opposition grounded in history > and law. The United States, for example, sought to be free of > Englandin part because of the mandatory licensing of its printing > presses – and the arrest of all who published objections to actions of > the English crown. Pamphlets issued without names and addresses are > not just a cultural right in the US, but a constitutional > one./McIntyre vs. //Ohio//Elections Commission, 514 //U.S.//334 (US > Supreme Court, 1995). / > > > A.The GAC asked for a weighing of the risks and benefits > > We note that the GAC has not issued policy in this area. According to > the “Brief Overview” provided by ICANN as introduction to this > Contractor Report and this public comment period, the GAC “asked for > an assessment of the feasibility, costs and benefits of conducting > identity validation as part of the development of the ARS.” > > > Nowhere in this report do we see any assessment of the costs, delays, > risks and harms that might be incurred by gTLD Registrants, Registrars > and Registries worldwide if identity validation were adopted. Nowhere > do we even see an analysis of how identity validation takes places, > what happens when a minority seeks to register, or when a speaker must > disclose and show her identification as the cost of signing up for a > domain name highlighting family planning, women rights, or women’s > education in parts of the world not as conducive to these fundamental > rights and basic principles. Must she go through her father for this too? > > > B.ICANN has promised a policy making process. > > In his response to the GAC on this issue, Dr. Crocker noted concerns: > > The costs of operating the Accuracy Reporting System are largely dependent > > upon the number of WHOIS records to be examined, as well as the level of > > validation (syntactic, operational, or identity). For example, the initial > > responses to the ICANN RFP reveal that identity validation services > are both > > costly and difficult to administer on a global basis. */There may also > be data/* > > */protection and privacy issues of concern to the community when > conducting/* > > */extensive identity validation on WHOIS records./*Hence, the costs of > > completing the development of Phase 3 will be determined based on > > engagement with the community to identify the appropriate level of > identity > > validation for ICANN to conduct, as well as the costs associated with > > performing identity validation on a global scale. > (https://www.icann.org/en/system/files/correspondence/crocker-to-dryden-02sep14-en.pdf, > emphasis added.) > > > As always, policy development must proceed implementation. We call on > ICANN to take this discussion out of the recesses of a Contractor > report, and into the light of the policy development process. > > * > III**. Wide Outreach Needed* > > One thing the Whois Review Team did note in its Final Review is the > need for clear and concerted outreach on issues that impact the Whois: > “We found great interest in the WHOIS policy among a number of groups > that do not traditionally participate in ICANN’s more technical > proceedings. They include the law enforcement community, Data > Protection Commissioners, and the privacy community more > generally.”The Whois Review Team’s recommendation specifically call > for active and concerted outreach to these communities of its issue: > > */Recommendation 3 - Outreach /* > > ICANN should ensure that WHOIS policy issues are accompanied by > cross-community outreach, including outreach to the communities > outside of ICANN with a specific interest in the issues, and an > ongoing program for consumer awareness. > > > That has clearly not happened here – when so much of substance is > buried so deeply in the back of a report. When will ICANN be > undertaking clear, robust global Outreach on these important freedom > of expression and privacy issues and implications? > > * > IV.**Finally, let’s Add Policy Staff and Freedom of Expression and > Data Protection Expertise* > > We ask that an ICANN Staff deeply steeped in data protection and > freedom of expression laws and rights be brought on to work on the > development of these address and identity issues. We understand that > ICANN feels previous backgrounds of its staffers do not limit their > activities, but the perception and reality of this issue would be > considered much more balanced if the ICANN Staffers of the project > hailed from an array of backgrounds and had represented multiple sides > of this issue in their prior lives. > > * > V.**Conclusion* > > We can’t bury wholesale physical address checking and the new concept > of identity validation in the back of a Contractor Report. These are > NOT policies examined or endorsed by the whole of the ICANN or even > the GNSO communities, nor policies evaluated yet by the whole of the > ICANN Community. The risks and benefits must be assessed before the > implementation is planned. > > > Signed, > > > MEMBERS OF THE NONCOMMERCIALS STAKEHOLDERS GROUP > [name, and/or organization, and/or country] >