Kathy (Kleiman)
WHOIS Accuracy Pilot Study Report
Burying Extremely Divisive Policy Questions in a Technical
Implementation Report Written by an ICANN Contractor is Improper and, in
this Case, Dangerous
These are comments written in response to the WHOIS Accuracy Pilot
Study Report. Buried in this Report which purports to be an
implementation report of an ICANN Contractor (NORC/University of Chicago)
-- are some of the most controversial and unsettled issues in ICANN
policy discussions and history. These issues are the subject of deep and
bitter divides over many years of ICANN work, the subject of interest
across the world, and the focus of a series of explosive comments in
Singapore when the ICANN Community began to realize what was happening.
It is inappropriate in the extreme, for ICANN policy issues to be
buried in a ICANN Contractor’s implementation report, and even further,
deep in its Appendix B, Next Steps for the Development of the WHOIS
Accuracy Report System (ARS). This follows pages of study “methods
and approach” language and sample design which are obscure even to
those who follow Whois policy issues on a regular basis. We submit
that after the many years of heated controversy over this topic, it is
disingenuous at the very least to allow this to happen policy debate to
continue its development in this manner.
We are deeply concerned that ICANN Staff has not flagged this Report,
or this Comment Proceeding, for what it appears to be a process to seek
permission from the ICANN Community for the:
a) wholesale checking of the physical addresses of
online speakers across the world (whether using domain names for
political speech, personal speech, or religious, ethnic or sexual
minority expression) thus creating an unprecedented inextricable link
between a speaker and her physical location, and
b) the radical new concept of Identity Validation for
each and every domain name Registrant to the ICANN Community, a concept
with inconceivable implications for political, ethnic and religious
minorities worldwide, as well as entrepreneurs, emerging organizations
and those operating today without identities who seek to create
them.
We respectfully add the issues below to this debate.
I. ICANN has never been given a mandate for Address
Checking on a Massive Scale
Although the Contractor’s Report seems to suggest that the ICANN
Community has approved the massive checking of postal addresses in the
existing gTLD Whois databases, that is not the case.
A. The Whois Review Team Final Report set the standard
of “contactability” -- reaching the domain name registrant with
questions and concerns not absolute accuracy of alll data in the
whois
The Current NORC Study (2014) and its accompanying ICANN Staff
Summary accompanying this NORC’s Pilot Report misrepresent the WHOIS
Policy Review Team Final Report and its Recommendations. The goal of
the Whois Review Team was “Contactibility” and “Reachability” of
the Registrant. To this end WHOIS Policy Review Team Final Report looked
“holistically” at the Whois record and did not seek the accuracy of
each and every element of a Registrant’s Whois record.
Specifically, the NORC Report of 2009/2010 (an earlier report called
the NORC Data Accuracy Study) created five categories for ranking the
data quality of a Whois record: Full Failure (overwhelmingly inaccurate);
Substantial Failure (most data inaccurate); Limited Failure (data to some
degree present and considered useful); Minimal Failure (may benefit from
additional information, but data provided is accurate) and No Failure
(data complete and accurate).
The Whois Review Team called for ICANN to significantly reduce the
number of “Full Failure” and “Substantial Failure” Whois Records
--- Avoidance of “No Failure” was not a goal at all. As shared
many times in meetings of the Whois Review Team and members of the ICANN
Community, including the GAC, what the WHOIS Review Team recommended was
that Whois information be sufficiently available and accurate for the
Registrant to be reached for legitimate technical, administrative and
other questions: [Recommendation] “6. ICANN should take appropriate
measures to reduce the number of WHOIS registrations that fall into the
accuracy groups Substantial Failure and Full Failure (as defined by the
NORC Data Accuracy Study, 2009/10) by 50% within 12 months and by 50%
again over the following 12 months.”
Thus, for the Whois Review Team, “No Failure” (full accuracy of
all fields) was not the goal; “contactability” and
“reachability” of Registrants was.
B. 2013 Registrar Accreditation
Agreement
The WHOIS Review Team Final Report noted that efforts were already
underway to improve accuracy and contactibility of Registrants in the
then-pending “direct negotiations with Registrars on revisions to the
RAA.” These negotiations resulted in the 2013 RAA which furthered the
goal of reaching Registrants through verified phone numbers and email
addresses:
1.f :
“Verify:
i. the email address of the
Registered Name Holder (and, if different, the Account Holder) by sending
an email requiring an affirmative response through a tool-based
authentication method such as providing a unique code that must be
returned in a manner designated by the Registrar,
or
ii. the telephone number of the
Registered Name Holder (and, if different, the Account Holder) by either
(A) calling or sending an SMS to the Registered Name Holder's telephone
number providing a unique code that must be returned in a manner
designated by the Registrar, or (B) calling the Registered Name Holder's
telephone number and requiring the Registered Name Holder to provide a
unique code that was sent to the Registered Name Holder via web, email or
postal mail.
As with the Final Report of the Whois Review Team, the goal of the
2013 RAA was “contactability” and “reachability” of the domain
name Registrant for technical or administrative questions by third
parties.
C. Where Did the “No Failure” Standard Come From for
NORC the Validaation and Verification of Each and Every Whois Element
Without Policy Processes or Assessments of the Risks and Harms?
Consistent with the Whois Review Team Final Report and the 2013 RAA,
we can understand the NORC methodology and approach to checking email
addresses and telephone numbers but postal address validation?
Where is the underlying GNSO Policy driving this direction to NORC from
ICANN Staff?
Where is the assessment of the risks and benefits of updating the
physical addresses of hundreds of millions of political, personal,
religious, ethnic and sexual speakers including dissidents, minorities
and those discriminated against by the laws and customs of various
regions? Where is NORC evaluating the wholesale and massive
verification of postal address in the existing gTLD WHOIS databases
without such an assessment? How did ICANN Staff come to direct it?
The NORC Contractor seems to have jumped from the logical checking
email and phone to checking physical addresses. But this leap from an
open and undecided policy question to a mere implementation issue should
be disturbing to everyone in the ICANN Community. What we know from
history and the most tragic of recent events is that speech and physical
location are a dangerous combination.
When individuals armed with automatic rifles wish to express their
disagreement with the legal speech of a satirical magazine, they find the
location in Paris and kill writers, publishers and cartoonists. When
they want to express contempt for those practicing another religion, they
bring their guns to kosher grocery stores in Paris and synagogues in
Copenhagen. Tracking down and beheading Christian minorities is a horror
of daily life in some parts of the world.
The UN Declaration of Human Rights, adopted in 1948, states:
Everyone has the right to freedom of opinion and expression; this
right includes freedom to hold opinions without interference and to seek,
receive and impart information and ideas through any media and regardless
of frontiers.
It does not say that everyone must put their address on that speech.
Where, as here, the Internet has become the major path of communication
for that speech, the requirement of a physical address for every speaker
may well violate the requirement of the right to speak and the protection
for that expression.
Further, the validation of postal addresses represents a major change
of policy one not mandated or requested byy the Whois Review Team, the
2013 RAA or by any Policy-Development Team we know of.
Who has evaluated the impact and dangers of wholesale adoption of
postal address validation of the long-existing gTLD Whois databases
especially in a world that has changed dramatically in the last few years
where entire governments have risen and fallen, where formerly free
countries and regions are enslaved by terrorist organizations and a new
set of dictators? While proxy/privacy registrations are available, they
are a costly luxury for many and completely unknown to others.
The mandatory validation of the massive number of postal addresses in
the gTLD Whois database as appears to be tthe policy proposal buried
between methodology and sample sizes in the Contractor’s report -- will
result in the dangerous, harmful, even life-threatening exposure of those
using their domain names for nothing more than communicating their ideas,
concerns, political hopes, and religious meetings via private streams of
domain name communications, such as on listservs and email addresses, and
more public resources including websites and blogs.
No policy we know has ever directed ICANN Staff to instruct a
Contractor to engage in massive Postal Address Validation – and no
policy development process we know has studied, weighed, debated or
valued the enormous impact to speech and expression of going back over
25+ years of domain names registrations to suddenly “correct” the
postal address and thereby expose battered women’s shelters, women’s
schools in Pakistan, pro-democracy groups, family planning groups and
LBGQT locations worldwide.
If this is the policy we in ICANN choose to adopt in the future (as
we certainly have NOT adopted it already), then it will require enormous
amounts of preparation, notice and warning to gTLD domain name
registrants on a global scale. Absent that, we know (without doubt
or hyperbole) that ICANN will have blood on its hands.
Overall, ICANN’s Contractor NORC seems to have jumped into
policy-making, not mere implementation.
II. Identity Validation Really?
Buried deep in Appendix B, of the Contractor’s Report, behind
“syntactic accuracy” and “operational accuracy” is the explosive
issue of “exploring accuracy from an identity perspective” (page 45).
At no time has ICANN ever held a Policy Development Processes on
Identity Validation. Accordingly, where does this guidance from ICANN to
its Contractor to explore identity validation implementation come
from? For those who attended the public Whois meeting in LA, this
issue certainly was not flagged in the discussion; for those who attended
the public meeting in Singapore, this issue was introduced and
IMMEDIATELY FLAGGED as intensely controversial and divisive.
Identity validation of those engaged in freedom of expression,
publishing and political discussion is a deeply controversial prospect
and one wwith heartfelt objection and opposition grounded in history and
law. The United States, for example, sought to be free of England in
part because of the mandatory licensing of its printing presses and the
arrest of alll who published objections to actions of the English crown.
Pamphlets issued without names and addresses are not just a cultural
right in the US, but a constitutional one. McIntyre vs. Ohio
Elections Commission, 514 U.S. 334 (US Supreme Court, 1995).
A. The GAC asked for a weighing of the risks and
benefits
We note that the GAC has not issued policy in this area. According
to the “Brief Overview” provided by ICANN as introduction to this
Contractor Report and this public comment period, the GAC “asked for an
assessment of the feasibility, costs and benefits of conducting identity
validation as part of the development of the ARS.”
Nowhere in this report do we see any assessment of the costs, delays,
risks and harms that might be incurred by gTLD Registrants, Registrars
and Registries worldwide if identity validation were adopted. Nowhere do
we even see an analysis of how identity validation takes places, what
happens when a minority seeks to register, or when a speaker must
disclose and show her identification as the cost of signing up for a
domain name highlighting family planning, women rights, or women’s
education in parts of the world not as conducive to these fundamental
rights and basic principles. Must she go through her father for this
too?
B. ICANN has promised a policy making process.
In his response to the GAC on this issue, Dr. Crocker noted
concerns:
The costs of operating the Accuracy Reporting System are largely
dependent
upon the number of WHOIS records to be examined, as well as the level
of
validation (syntactic, operational, or identity). For example, the
initial
responses to the ICANN RFP reveal that identity validation services
are both
costly and difficult to administer on a global basis. There may also
be data
protection and privacy issues of concern to the community when
conducting
extensive identity validation on WHOIS records. Hence, the costs
of
completing the development of Phase 3 will be determined based
on
engagement with the community to identify the appropriate level of
identity
validation for ICANN to conduct, as well as the costs associated
with
performing identity validation on a global scale.
(
https://www.icann.org/en/system/files/correspondence/crocker-to-dryden-02sep14-en.pdf
, emphasis added.)
As always, policy development must proceed implementation. We call on
ICANN to take this discussion out of the recesses of a Contractor report,
and into the light of the policy development process.
III. Wide Outreach Needed
One thing the Whois Review
Team did note in its Final Review is the need for clear and concerted
outreach on issues that impact the Whois: “We found great interest in
the WHOIS policy among a number of groups that do not traditionally
participate in ICANN’s more technical proceedings. They include the
law enforcement community, Data Protection Commissioners, and the privacy
community more generally.” The Whois Review Team’s
recommendation specifically call for active and concerted outreach to
these communities of its issue:
Recommendation 3 - Outreach
ICANN should ensure that WHOIS policy issues are accompanied by
cross-community outreach, including outreach to the communities outside
of ICANN with a specific interest in the issues, and an ongoing program
for consumer awareness.
That has clearly not happened here when so much of substancee is
buried so deeply in the back of a report. When will ICANN be undertaking
clear, robust global Outreach on these important freedom of expression
and privacy issues and implications?
IV. Finally, let’s Add Policy Staff
and Freedom of Expression and Data Protection Expertise
We ask that an ICANN Staff deeply steeped in data protection and
freedom of expression laws and rights be brought on to work on the
development of these address and identity issues. We understand that
ICANN feels previous backgrounds of its staffers do not limit their
activities, but the perception and reality of this issue would be
considered much more balanced if the ICANN Staffers of the project hailed
from an array of backgrounds and had represented multiple sides of this
issue in their prior lives.
V. Conclusion
We can’t bury wholesale physical address checking and the new
concept of identity validation in the back of a Contractor Report.
These are NOT policies examined or endorsed by the whole of the ICANN or
even the GNSO communities, nor policies evaluated yet by the whole of the
ICANN Community. The risks and benefits must be assessed before the
implementation is planned.
Signed,
MEMBERS OF THE NONCOMMERCIALS STAKEHOLDERS GROUP
[name, and/or organization, and/or country]