Pleased to add my name Kathy. Sincerely, Walid On Mar 13, 2015 7:13 PM, "Kathy Kleiman" <[log in to unmask]> wrote: > > Dear All, > > Attached please find an important set of comments. They are to the Whois > Accuracy Pilot Study Report – by a group of researchers at the University > of Chicago called NORC. Buried in this report turns out to be a many > issues important to us in the Whois domain name registration databases – > including the question of postal addresses (should we be validating and > publishing the physical addresses of political dissident groups, religious > minorities, girls’ schools in areas where many do not like girls education? > Is there a danger to be evaluated *before* we undertake this new policy?) > > > > > Identity Validation is a very open question as well, yet NORC seems ready > to start work in this area. I have written a set of questions that say STOP > – and let’s consider the policy implications of these acts before we > develop plans to put them into effect. The comments are below (with a full > copy attached). > > > > *They are due tonight! If you can sign on, please do. Please let me know > your name and/or organization and/or country.* > > > > Great tx to Stephanie Perrin for editing! Here are some thoughts of > members on our Policy Committee: > > - Kathy’s drafted, what I believe to be, an excellent comment in > response. – Amr Elsadr > > - Great job Kathy!! I support this document. -- Stephanie Perrin > > - Feel free to add my name as endorsing the document – Ed Morris > > > > Best and tx!! > Kathy (Kleiman) > > > * WHOIS Accuracy Pilot Study Report* > > Burying Extremely Divisive Policy Questions in a Technical Implementation > Report Written by an ICANN Contractor is Improper and, in this Case, > Dangerous > > > These are comments written in response to the WHOIS Accuracy Pilot Study > Report. Buried in this Report – which purports to be an implementation > report of an ICANN Contractor (NORC/University of Chicago) -- are some of > the most controversial and unsettled issues in ICANN policy discussions and > history. These issues are the subject of deep and bitter divides over many > years of ICANN work, the subject of interest across the world, and the > focus of a series of explosive comments in Singapore when the ICANN > Community began to realize what was happening. > > > It is inappropriate in the extreme, for ICANN policy issues to be buried > in a ICANN Contractor’s implementation report, and even further, deep in > its Appendix B,* Next Steps for the Development of the WHOIS Accuracy > Report System (ARS). * This follows pages of study “methods and > approach” language and sample design which are obscure even to those who > follow Whois policy issues on a regular basis. We submit that after the > many years of heated controversy over this topic, it is disingenuous at the > very least to allow this to happen policy debate to continue its > development in this manner. > > We are deeply concerned that ICANN Staff has not flagged this Report, or > this Comment Proceeding, for what it appears to be – a process to seek > permission from the ICANN Community for the: > > a) *wholesale checking of the physical addresses of online speakers > across the world (whether using domain names for political speech, personal > speech, or religious, ethnic or sexual minority expression)* thus > creating an unprecedented inextricable link between a speaker and her > physical location, and > > > > b) *the* *radical new concept of Identity Validation for each and > every domain name Registrant to the ICANN Community, *a concept with > inconceivable implications for political, ethnic and religious minorities > worldwide, as well as entrepreneurs, emerging organizations and those > operating today without identities who seek to create them. > > > > We respectfully add the issues below to this debate. > > > > *I. **ICANN has never been given a mandate for Address Checking on > a Massive Scale* > > Although the Contractor’s Report seems to suggest that the ICANN Community > has approved the massive checking of postal addresses in the existing gTLD > Whois databases, that is not the case. > > > A. The Whois Review Team Final Report set the standard of > “contactability” -- reaching the domain name registrant with questions and > concerns – not absolute accuracy of all data in the whois > > The Current NORC Study (2014) and its accompanying ICANN Staff Summary > accompanying this NORC’s Pilot Report misrepresent the WHOIS Policy Review > Team Final Report and its Recommendations. The goal of the Whois Review > Team was “Contactibility” and “Reachability” of the Registrant. To this end > WHOIS Policy Review Team Final Report looked “holistically” at the Whois > record and did not seek the accuracy of each and every element of a > Registrant’s Whois record. > > > Specifically, the NORC Report of 2009/2010 (an earlier report called the > NORC Data Accuracy Study) created five categories for ranking the data > quality of a Whois record: *Full Failure* (overwhelmingly inaccurate); *Substantial > Failure* (most data inaccurate); *Limited Failure* (data to some degree > present and considered useful); *Minimal Failure* (may benefit from > additional information, but data provided is accurate) and *No Failure *(data > complete and accurate). > > > * The Whois Review Team called for ICANN to significantly reduce the > number of “Full Failure” and “Substantial Failure” Whois Records --- > Avoidance of “No Failure” was not a goal at all. *As shared many times > in meetings of the Whois Review Team and members of the ICANN Community, > including the GAC, what the WHOIS Review Team recommended was that Whois > information be sufficiently available and accurate for the Registrant to be > reached –for legitimate technical, administrative and other questions: > [Recommendation] “*6. ICANN should take appropriate measures to reduce > the number of WHOIS registrations that fall into the accuracy groups > Substantial Failure and Full Failure (as defined by the NORC Data Accuracy > Study, 2009/10) by 50% within 12 months and by 50% again over the following > 12 months.*” > > > Thus, for the Whois Review Team, “No Failure” (full accuracy of all > fields) was *not the goal*; “contactability” and “reachability” of > Registrants was. > > > B. 2013 Registrar Accreditation Agreement > > > The WHOIS Review Team Final Report noted that efforts were already > underway to improve accuracy and contactibility of Registrants in the > then-pending “direct negotiations with Registrars on revisions to the RAA.” > These negotiations resulted in the 2013 RAA which furthered the goal of > reaching Registrants through verified phone numbers and email addresses: > > 1.f : “Verify: > > i. the email address > of the Registered Name Holder (and, if different, the Account Holder) by > sending an email requiring an affirmative response through a tool-based > authentication method such as providing a unique code that must be returned > in a manner designated by the Registrar, or > > ii. the telephone > number of the Registered Name Holder (and, if different, the Account > Holder) by either (A) calling or sending an SMS to the Registered Name > Holder's telephone number providing a unique code that must be returned in > a manner designated by the Registrar, or (B) calling the Registered Name > Holder's telephone number and requiring the Registered Name Holder to > provide a unique code that was sent to the Registered Name Holder via web, > email or postal mail. > > As with the Final Report of the Whois Review Team, the goal of the 2013 > RAA was “contactability” and “reachability” of the domain name Registrant > for technical or administrative questions by third parties. > > C. Where Did the “No Failure” Standard Come From for NORC – the > Validation and Verification of Each and Every Whois Element Without Policy > Processes or Assessments of the Risks and Harms? > > Consistent with the Whois Review Team Final Report and the 2013 RAA, we > can understand the NORC methodology and approach to checking email > addresses and telephone numbers – but postal address validation? Where > is the underlying GNSO Policy driving this direction to NORC from ICANN > Staff? > > *Where is the assessment of the risks and benefits of updating the > physical addresses of hundreds of millions of political, personal, > religious, ethnic and sexual speakers – including dissidents, minorities > and those discriminated against by the laws and customs of various regions?* > Where is NORC evaluating the wholesale and massive verification of > postal address in the existing gTLD WHOIS databases without such an > assessment? How did ICANN Staff come to direct it? > > > The NORC Contractor seems to have jumped from the logical – checking email > and phone – to checking physical addresses. But this leap from an open > and undecided policy question to a mere implementation issue should be > disturbing to everyone in the ICANN Community. What we know from history > and the most tragic of recent events is that speech and physical location > are a dangerous combination. > > > When individuals armed with automatic rifles wish to express their > disagreement with the legal speech of a satirical magazine, they find the > location in Paris and kill writers, publishers and cartoonists. When > they want to express contempt for those practicing another religion, they > bring their guns to kosher grocery stores in Paris and synagogues in > Copenhagen. Tracking down and beheading Christian minorities is a horror > of daily life in some parts of the world. > > > The UN Declaration of Human Rights, adopted in 1948, states: > > - Everyone has the right to freedom of opinion and expression; this > right includes freedom to hold opinions without interference and to seek, > receive and impart information and ideas through any media and regardless > of frontiers. > > > It does not say that everyone must put their address on that speech. > Where, as here, the Internet has become the major path of communication for > that speech, the requirement of a physical address for every speaker may > well violate the requirement of the right to speak and the protection for > that expression. > > > Further, the validation of postal addresses represents a major change of > policy – one not mandated or requested by the Whois Review Team, the 2013 > RAA or by any Policy-Development Team we know of. > > Who has evaluated the impact and dangers of wholesale adoption of postal > address validation of the long-existing gTLD Whois databases– especially in > a world that has changed dramatically in the last few years – where entire > governments have risen and fallen, where formerly free countries and > regions are enslaved by terrorist organizations and a new set of dictators? > While proxy/privacy registrations are available, *they are a costly > luxury for many and completely unknown to others*. > > > The mandatory validation of the massive number of postal addresses in the > gTLD Whois database – as appears to be the policy proposal buried between > methodology and sample sizes in the Contractor’s report -- will result in > the dangerous, harmful, even life-threatening exposure of those using their > domain names for nothing more than communicating their ideas, concerns, > political hopes, and religious meetings via private streams of domain name > communications, such as on listservs and email addresses, and more public > resources including websites and blogs. > > > No policy we know has ever directed ICANN Staff to instruct a Contractor > to engage in massive Postal Address Validation – and no policy development > process we know has studied, weighed, debated or valued the enormous impact > to speech and expression of going back over 25+ years of domain names > registrations to suddenly “correct” the postal address and thereby expose > battered women’s shelters, women’s schools in Pakistan, pro-democracy > groups, family planning groups and LBGQT locations worldwide. > > > If this is the policy we in ICANN choose to adopt in the future (as we > certainly have NOT adopted it already), then it will require enormous > amounts of preparation, notice and warning to gTLD domain name > registrants on a global scale. Absent that, we know (without doubt or > hyperbole) that ICANN will have blood on its hands. > > Overall, ICANN’s Contractor NORC seems to have jumped into policy-making, > not mere implementation. > > > * II. * *Identity Validation – Really? * > > > Buried deep in Appendix B, of the Contractor’s Report, behind “syntactic > accuracy” and “operational accuracy” is the explosive issue of “exploring > accuracy from an identity perspective” (page 45). > > At no time has ICANN ever held a Policy Development Processes on Identity > Validation. Accordingly, where does this guidance from ICANN to its > Contractor to explore identity validation implementation come from? For > those who attended the public Whois meeting in LA, this issue certainly was > not flagged in the discussion; for those who attended the public meeting in > Singapore, this issue was introduced and IMMEDIATELY FLAGGED as intensely > controversial and divisive. > > > Identity validation of those engaged in freedom of expression, publishing > and political discussion is a deeply controversial prospect – and one with > heartfelt objection and opposition grounded in history and law. The United > States, for example, sought to be free of England in part because of the > mandatory licensing of its printing presses – and the arrest of all who > published objections to actions of the English crown. Pamphlets issued > without names and addresses are not just a cultural right in the US, but > a constitutional one. *McIntyre vs. **Ohio** Elections Commission, 514 * > *U.S.** 334 (US Supreme Court, 1995). * > > > A. The GAC asked for a weighing of the risks and benefits > > We note that the GAC has not issued policy in this area. According to > the “Brief Overview” provided by ICANN as introduction to this Contractor > Report and this public comment period, the GAC “asked for an assessment of > the feasibility, costs and benefits of conducting identity validation as > part of the development of the ARS.” > > > Nowhere in this report do we see any assessment of the costs, delays, > risks and harms that might be incurred by gTLD Registrants, Registrars and > Registries worldwide if identity validation were adopted. Nowhere do we > even see an analysis of how identity validation takes places, what happens > when a minority seeks to register, or when a speaker must disclose and show > her identification as the cost of signing up for a domain name highlighting > family planning, women rights, or women’s education in parts of the world > not as conducive to these fundamental rights and basic principles. Must > she go through her father for this too? > > > B. ICANN has promised a policy making process. > > In his response to the GAC on this issue, Dr. Crocker noted concerns: > > The costs of operating the Accuracy Reporting System are largely dependent > > upon the number of WHOIS records to be examined, as well as the level of > > validation (syntactic, operational, or identity). For example, the initial > > responses to the ICANN RFP reveal that identity validation services are > both > > costly and difficult to administer on a global basis. *There may also be > data* > > *protection and privacy issues of concern to the community when conducting* > > *extensive identity validation on WHOIS records.* Hence, the costs of > > completing the development of Phase 3 will be determined based on > > engagement with the community to identify the appropriate level of identity > > validation for ICANN to conduct, as well as the costs associated with > > performing identity validation on a global scale. ( > https://www.icann.org/en/system/files/correspondence/crocker-to-dryden-02sep14-en.pdf, > emphasis added.) > > > As always, policy development must proceed implementation. We call on > ICANN to take this discussion out of the recesses of a Contractor report, > and into the light of the policy development process. > > > * III**. Wide Outreach Needed* > One thing the Whois Review Team did note in its Final Review is the need > for clear and concerted outreach on issues that impact the Whois: “We found > great interest in the WHOIS policy among a number of groups that do not > traditionally participate in ICANN’s more technical proceedings. They > include the law enforcement community, Data Protection Commissioners, and > the privacy community more generally.” The Whois Review Team’s > recommendation specifically call for active and concerted outreach to these > communities of its issue: > > *Recommendation 3 - Outreach * > > ICANN should ensure that WHOIS policy issues are accompanied by > cross-community outreach, including outreach to the communities outside of > ICANN with a specific interest in the issues, and an ongoing program for > consumer awareness. > > > That has clearly not happened here – when so much of substance is buried > so deeply in the back of a report. When will ICANN be undertaking clear, > robust global Outreach on these important freedom of expression and privacy > issues and implications? > > > * IV. **Finally, let’s Add Policy Staff and Freedom of > Expression and Data Protection Expertise* > > We ask that an ICANN Staff deeply steeped in data protection and freedom > of expression laws and rights be brought on to work on the development of > these address and identity issues. We understand that ICANN feels previous > backgrounds of its staffers do not limit their activities, but the > perception and reality of this issue would be considered much more balanced > if the ICANN Staffers of the project hailed from an array of backgrounds > and had represented multiple sides of this issue in their prior lives. > > > * V. **Conclusion* > > We can’t bury wholesale physical address checking and the new concept of > identity validation in the back of a Contractor Report. These are NOT > policies examined or endorsed by the whole of the ICANN or even the GNSO > communities, nor policies evaluated yet by the whole of the ICANN > Community. The risks and benefits must be assessed before the > implementation is planned. > > > Signed, > > > MEMBERS OF THE NONCOMMERCIALS STAKEHOLDERS GROUP > [name, and/or organization, and/or country] >