Mine as well David At 04:14 PM 3/13/2015, Walid AL-SAQAF wrote: >Pleased to add my name Kathy. > >Sincerely, > >Walid >On Mar 13, 2015 7:13 PM, "Kathy Kleiman" ><<mailto:[log in to unmask]>[log in to unmask]> wrote: >Dear All, >Attached please find an important set of >comments. They are to the Whois Accuracy Pilot >Study Report by a group oof researchers at the >University of Chicago called NORC. Buried in >this report turns out to be a many issues >important to us in the Whois domain name >registration databases including the quesstion >of postal addresses (should we be validating and >publishing the physical addresses of political >dissident groups, religious minorities, girls’ >schools in areas where many do not like girls >education? Is there a danger to be evaluated >*before* we undertake this new policy?) > >Identity Validation is a very open question as >well, yet NORC seems ready to start work in this >area. I have written a set of questions that say >STOP and let’s consider the policy >iimplications of these acts before we develop >plans to put them into effect. The comments are >below (with a full copy attached). > >They are due tonight! If you can sign on, >please do. Please let me know your name and/or organization and/or country. > >Great tx to Stephanie Perrin for editing! Here >are some thoughts of members on our Policy Committee: >- Kathy’s drafted, what I >believe to be, an excellent comment in response. Amr Elsadr >- Great job Kathy!! I support >this document. -- Stephanie Perrin >- Feel free to add my name as >endorsing the document Ed Morris > >Best and tx!! >Kathy (Kleiman) > >WHOIS Accuracy Pilot Study Report >Burying Extremely Divisive Policy Questions in a >Technical Implementation Report Written by an >ICANN Contractor is Improper and, in this Case, Dangerous >These are comments written in response to the >WHOIS Accuracy Pilot Study Report. Buried in >this Report which purports to be an >implementation report of an ICANN Contractor >(NORC/University of Chicago) -- are some of the >most controversial and unsettled issues in ICANN >policy discussions and history. These issues are >the subject of deep and bitter divides over many >years of ICANN work, the subject of interest >across the world, and the focus of a series of >explosive comments in Singapore when the ICANN >Community began to realize what was happening. > >It is inappropriate in the extreme, for ICANN >policy issues to be buried in a ICANN >Contractor’s implementation report, and even >further, deep in its Appendix B, Next Steps for >the Development of the WHOIS Accuracy Report >System (ARS). This follows pages of study >“methods and approach” language and sample >design which are obscure even to those who >follow Whois policy issues on a regular >basis. We submit that after the many years of >heated controversy over this topic, it is >disingenuous at the very least to allow this to >happen policy debate to continue its development in this manner. >We are deeply concerned that ICANN Staff has not >flagged this Report, or this Comment Proceeding, >for what it appears to be a process to seek >permission from the ICANN Community for the: > >a) wholesale checking of the physical >addresses of online speakers across the world >(whether using domain names for political >speech, personal speech, or religious, ethnic or >sexual minority expression) thus creating an >unprecedented inextricable link between a >speaker and her physical location, and > >b) the radical new concept of Identity >Validation for each and every domain name >Registrant to the ICANN Community, a concept >with inconceivable implications for political, >ethnic and religious minorities worldwide, as >well as entrepreneurs, emerging organizations >and those operating today without identities who seek to create them. > >We respectfully add the issues below to this debate. > >I. ICANN has never been given a >mandate for Address Checking on a Massive Scale >Although the Contractor’s Report seems to >suggest that the ICANN Community has approved >the massive checking of postal addresses in the >existing gTLD Whois databases, that is not the case. > >A. The Whois Review Team Final Report >set the standard of “contactability” -- >reaching the domain name registrant with >questions and concerns not absolute accuracy of alll data in the whois >The Current NORC Study (2014) and its >accompanying ICANN Staff Summary accompanying >this NORC’s Pilot Report misrepresent the >WHOIS Policy Review Team Final Report and its >Recommendations. The goal of the Whois Review >Team was “Contactibility” and >“Reachability” of the Registrant. To this >end WHOIS Policy Review Team Final Report looked >“holistically” at the Whois record and did >not seek the accuracy of each and every element >of a Registrant’s Whois record. > >Specifically, the NORC Report of 2009/2010 (an >earlier report called the NORC Data Accuracy >Study) created five categories for ranking the >data quality of a Whois record: Full Failure >(overwhelmingly inaccurate); Substantial Failure >(most data inaccurate); Limited Failure (data to >some degree present and considered useful); >Minimal Failure (may benefit from additional >information, but data provided is accurate) and >No Failure (data complete and accurate). > >The Whois Review Team called for ICANN to >significantly reduce the number of “Full >Failure” and “Substantial Failure” Whois >Records --- Avoidance of “No Failure” was >not a goal at all. As shared many times in >meetings of the Whois Review Team and members of >the ICANN Community, including the GAC, what the >WHOIS Review Team recommended was that Whois >information be sufficiently available and >accurate for the Registrant to be reached for >legitimate technical, administrative and other >questions: [Recommendation] “6. ICANN should >take appropriate measures to reduce the number >of WHOIS registrations that fall into the >accuracy groups Substantial Failure and Full >Failure (as defined by the NORC Data Accuracy >Study, 2009/10) by 50% within 12 months and by >50% again over the following 12 months.” > >Thus, for the Whois Review Team, “No >Failure” (full accuracy of all fields) was not >the goal; “contactability” and “reachability” of Registrants was. > B. 2013 Registrar Accreditation Agreement > >The WHOIS Review Team Final Report noted that >efforts were already underway to improve >accuracy and contactibility of Registrants in >the then-pending “direct negotiations with >Registrars on revisions to the RAA.” These >negotiations resulted in the 2013 RAA which >furthered the goal of reaching Registrants >through verified phone numbers and email addresses: > 1.f : “Verify: > > > i. the email address of the >Registered Name Holder (and, if different, the >Account Holder) by sending an email requiring an >affirmative response through a tool-based >authentication method such as providing a unique >code that must be returned in a manner designated by the Registrar, or > > ii. > the telephone number of the Registered >Name Holder (and, if different, the Account >Holder) by either (A) calling or sending an SMS >to the Registered Name Holder's telephone number >providing a unique code that must be returned in >a manner designated by the Registrar, or (B) >calling the Registered Name Holder's telephone >number and requiring the Registered Name Holder >to provide a unique code that was sent to the >Registered Name Holder via web, email or postal mail. >As with the Final Report of the Whois Review >Team, the goal of the 2013 RAA was >“contactability” and “reachability” of >the domain name Registrant for technical or >administrative questions by third parties. >C. Where Did the “No Failure” >Standard Come From for NORC the Validaation >and Verification of Each and Every Whois Element >Without Policy Processes or Assessments of the Risks and Harms? >Consistent with the Whois Review Team Final >Report and the 2013 RAA, we can understand the >NORC methodology and approach to checking email >addresses and telephone numbers but postal >address validation? Where is the underlying >GNSO Policy driving this direction to NORC from ICANN Staff? >Where is the assessment of the risks and >benefits of updating the physical addresses of >hundreds of millions of political, personal, >religious, ethnic and sexual speakers >including dissidents, minorities and those >discriminated against by the laws and customs of >various regions? Where is NORC evaluating the >wholesale and massive verification of postal >address in the existing gTLD WHOIS databases >without such an assessment? How did ICANN Staff come to direct it? > >The NORC Contractor seems to have jumped from >the logical checking email and phone to >checking physical addresses. But this leap >from an open and undecided policy question to a >mere implementation issue should be disturbing >to everyone in the ICANN Community. What we know >from history and the most tragic of recent >events is that speech and physical location are a dangerous combination. > >When individuals armed with automatic rifles >wish to express their disagreement with the >legal speech of a satirical magazine, they find >the location in Paris and kill writers, >publishers and cartoonists. When they want to >express contempt for those practicing another >religion, they bring their guns to kosher >grocery stores in Paris and synagogues in >Copenhagen. Tracking down and beheading >Christian minorities is a horror of daily life in some parts of the world. > >The UN Declaration of Human Rights, adopted in 1948, states: >Everyone has the right to freedom of opinion and >expression; this right includes freedom to hold >opinions without interference and to seek, >receive and impart information and ideas through >any media and regardless of frontiers. >It does not say that everyone must put their >address on that speech. Where, as here, the >Internet has become the major path of >communication for that speech, the requirement >of a physical address for every speaker may well >violate the requirement of the right to speak >and the protection for that expression. > >Further, the validation of postal addresses >represents a major change of policy one not >mandated or requested byy the Whois Review Team, >the 2013 RAA or by any Policy-Development Team we know of. >Who has evaluated the impact and dangers of >wholesale adoption of postal address validation >of the long-existing gTLD Whois databases >especially in a world that has changed >dramatically in the last few years where >entire governments have risen and fallen, where >formerly free countries and regions are enslaved >by terrorist organizations and a new set of >dictators? While proxy/privacy registrations are >available, they are a costly luxury for many and completely unknown to others. > >The mandatory validation of the massive number >of postal addresses in the gTLD Whois database >as appears to be tthe policy proposal buried >between methodology and sample sizes in the >Contractor’s report -- will result in the >dangerous, harmful, even life-threatening >exposure of those using their domain names for >nothing more than communicating their ideas, >concerns, political hopes, and religious >meetings via private streams of domain name >communications, such as on listservs and email >addresses, and more public resources including websites and blogs. > >No policy we know has ever directed ICANN Staff >to instruct a Contractor to engage in massive >Postal Address Validation – and no policy >development process we know has studied, >weighed, debated or valued the enormous impact >to speech and expression of going back over 25+ >years of domain names registrations to suddenly >“correct” the postal address and thereby >expose battered women’s shelters, women’s >schools in Pakistan, pro-democracy groups, >family planning groups and LBGQT locations worldwide. > >If this is the policy we in ICANN choose to >adopt in the future (as we certainly have NOT >adopted it already), then it will require >enormous amounts of preparation, notice and warning to gTLD domain name >registrants on a global scale. Absent that, we >know (without doubt or hyperbole) that ICANN will have blood on its hands. >Overall, ICANN’s Contractor NORC seems to have >jumped into policy-making, not mere implementation. > >II. Identity Validation Really? > >Buried deep in Appendix B, of the Contractor’s >Report, behind “syntactic accuracy” and >“operational accuracy” is the explosive >issue of “exploring accuracy from an identity perspective” (page 45). >At no time has ICANN ever held a Policy >Development Processes on Identity Validation. >Accordingly, where does this guidance from ICANN >to its Contractor to explore identity validation >implementation come from? For those who >attended the public Whois meeting in LA, this >issue certainly was not flagged in the >discussion; for those who attended the public >meeting in Singapore, this issue was introduced >and IMMEDIATELY FLAGGED as intensely controversial and divisive. > >Identity validation of those engaged in freedom >of expression, publishing and political >discussion is a deeply controversial prospect >and one wwith heartfelt objection and opposition >grounded in history and law. The United >States, for example, sought to be free of >England in part because of the mandatory >licensing of its printing presses and the >arrest of alll who published objections to >actions of the English crown. Pamphlets issued >without names and addresses are not just a >cultural right in the US, but a constitutional >one. McIntyre vs. Ohio Elections Commission, >514 U.S. 334 (US Supreme Court, 1995). > >A. The GAC asked for a weighing of the risks and benefits >We note that the GAC has not issued policy in >this area. According to the “Brief >Overview” provided by ICANN as introduction to >this Contractor Report and this public comment >period, the GAC “asked for an assessment of >the feasibility, costs and benefits of >conducting identity validation as part of the development of the ARS.” > >Nowhere in this report do we see any assessment >of the costs, delays, risks and harms that might >be incurred by gTLD Registrants, Registrars and >Registries worldwide if identity validation were >adopted. Nowhere do we even see an analysis of >how identity validation takes places, what >happens when a minority seeks to register, or >when a speaker must disclose and show her >identification as the cost of signing up for a >domain name highlighting family planning, women >rights, or women’s education in parts of the >world not as conducive to these fundamental >rights and basic principles. Must she go through her father for this too? > >B. ICANN has promised a policy making process. >In his response to the GAC on this issue, Dr. Crocker noted concerns: >The costs of operating the Accuracy Reporting System are largely dependent >upon the number of WHOIS records to be examined, as well as the level of >validation (syntactic, operational, or identity). For example, the initial >responses to the ICANN RFP reveal that identity validation services are both >costly and difficult to administer on a global basis. There may also be data >protection and privacy issues of concern to the community when conducting >extensive identity validation on WHOIS records. Hence, the costs of >completing the development of Phase 3 will be determined based on >engagement with the community to identify the appropriate level of identity >validation for ICANN to conduct, as well as the costs associated with >performing identity validation on a global >scale. >(<https://www.icann.org/en/system/files/correspondence/crocker-to-dryden-02sep14-en.pdf>https://www.icann.org/en/system/files/correspondence/crocker-to-dryden-02sep14-en.pdf, >emphasis added.) > >As always, policy development must proceed >implementation. We call on ICANN to take this >discussion out of the recesses of a Contractor >report, and into the light of the policy development process. > > III. Wide Outreach Needed >One thing the Whois Review Team did note in its >Final Review is the need for clear and concerted >outreach on issues that impact the Whois: “We >found great interest in the WHOIS policy among a >number of groups that do not traditionally >participate in ICANN’s more technical >proceedings. They include the law enforcement >community, Data Protection Commissioners, and >the privacy community more generally.” The >Whois Review Team’s recommendation >specifically call for active and concerted >outreach to these communities of its issue: >Recommendation 3 - Outreach >ICANN should ensure that WHOIS policy issues are >accompanied by cross-community outreach, >including outreach to the communities outside of >ICANN with a specific interest in the issues, >and an ongoing program for consumer awareness. > >That has clearly not happened here when so >much of substancee is buried so deeply in the >back of a report. When will ICANN be undertaking >clear, robust global Outreach on these important >freedom of expression and privacy issues and implications? > >IV. Finally, let’s >Add Policy Staff and Freedom of Expression and Data Protection Expertise >We ask that an ICANN Staff deeply steeped in >data protection and freedom of expression laws >and rights be brought on to work on the >development of these address and identity >issues. We understand that ICANN feels previous >backgrounds of its staffers do not limit their >activities, but the perception and reality of >this issue would be considered much more >balanced if the ICANN Staffers of the project >hailed from an array of backgrounds and had >represented multiple sides of this issue in their prior lives. > >V. Conclusion >We can’t bury wholesale physical address >checking and the new concept of identity >validation in the back of a Contractor Report. >These are NOT policies examined or endorsed by >the whole of the ICANN or even the GNSO >communities, nor policies evaluated yet by the >whole of the ICANN Community. The risks and >benefits must be assessed before the implementation is planned. > >Signed, > >MEMBERS OF THE NONCOMMERCIALS STAKEHOLDERS GROUP >[name, and/or organization, and/or country] ******************************* David G Post - Senior Fellow, Open Technology Institute/New America Foundation blog (Volokh Conspiracy) http://www.washingtonpost.com/people/david-post book (Jefferson's Moose) http://tinyurl.com/c327w2n music http://tinyurl.com/davidpostmusic publications etc. http://www.davidpost.com *******************************