Please add my name as well. -- Tapani Tarvainen On Fri, Mar 13, 2015 at 02:54:52PM -0400, Nicolas Adam ([log in to unmask]) wrote: > Please add my name also. Good work. > > Nicolas Adam > > On 13/03/2015 2:11 PM, Kathy Kleiman wrote: > > > > > >Dear All, > > > >Attached please find an important set of comments. They are to the > >Whois Accuracy Pilot Study Report – by a group of researchers at > >the University of Chicago called NORC. Buried in this report turns > >out to be a many issues important to us in the Whois domain name > >registration databases – including the question of postal > >addresses (should we be validating and publishing the physical > >addresses of political dissident groups, religious minorities, > >girls’ schools in areas where many do not like girls education?Is > >there a danger to be evaluated *before* we undertake this new > >policy?) > > > >Identity Validation is a very open question as well, yet NORC > >seems ready to start work in this area. I have written a set of > >questions that say STOP – and let’s consider the policy > >implications of these acts before we develop plans to put them > >into effect. The comments are below (with a full copy attached). > > > >*They are due tonight!If you can sign on, please do. Please let me > >know your name and/or organization and/or country.* > > > >** > > > >Great tx to Stephanie Perrin for editing! Here are some thoughts > >of members on our Policy Committee: > > > >-Kathy’s drafted, what I believe to be, an excellent comment in > >response. – Amr Elsadr > > > >-Great job Kathy!! I support this document. -- Stephanie Perrin > > > >-Feel free to add my name as endorsing the document – Ed Morris > > > >Best and tx!! > >Kathy (Kleiman) > > > >* > >WHOIS Accuracy Pilot Study Report* > > > >Burying Extremely Divisive Policy Questions in a Technical > >Implementation Report Written by an ICANN Contractor is Improper > >and, in this Case, Dangerous > > > > > >These are comments written in response to the WHOIS Accuracy Pilot > >Study Report. Buried in this Report – which purports to be an > >implementation report of an ICANN Contractor (NORC/University of > >Chicago) -- are some of the most controversial and unsettled > >issues in ICANN policy discussions and history. These issues are > >the subject of deep and bitter divides over many years of ICANN > >work, the subject of interest across the world, and the focus of a > >series of explosive comments in Singaporewhen the ICANN Community > >began to realize what was happening. > > > > > >It is inappropriate in the extreme, for ICANN policy issues to be > >buried in a ICANN Contractor’s implementation report, and even > >further, deep in its Appendix B,/Next Steps for the Development of > >the WHOIS Accuracy Report System (ARS). /This follows pages of > >study “methods and approach” language and sample design which are > >obscure even to those who follow Whois policy issues on a regular > >basis.We submit that after the many years of heated controversy > >over this topic, it is disingenuous at the very least to allow > >this to happen policy debate to continue its development in this > >manner. > > > >We are deeply concerned that ICANN Staff has not flagged this > >Report, or this Comment Proceeding, for what it appears to be – a > >process to seek permission from the ICANN Community for the: > > > >a)*wholesale checking of the physical addresses of online speakers > >across the world (whether using domain names for political speech, > >personal speech, or religious, ethnic or sexual minority > >expression)*thus creating an unprecedented inextricable link > >between a speaker and her physical location, and > > > >b)*the**radical new concept of Identity Validation for each and > >every domain name Registrant to the ICANN Community, *a concept > >with inconceivable implications for political, ethnic and > >religious minorities worldwide, as well as entrepreneurs, emerging > >organizations and those operating today without identities who > >seek to create them. > > > >We respectfully add the issues below to this debate. > > > >*I.**ICANN has never been given a mandate for Address Checking on > >a Massive Scale* > > > >Although the Contractor’s Report seems to suggest that the ICANN > >Community has approved the massive checking of postal addresses in > >the existing gTLD Whois databases, that is not the case. > > > > > >A.The Whois Review Team Final Report set the standard of > >“contactability” -- reaching the domain name registrant with > >questions and concerns – not absolute accuracy of all data in the > >whois > > > >The Current NORC Study (2014) and its accompanying ICANN Staff > >Summary accompanying this NORC’s Pilot Report misrepresent the > >WHOIS Policy Review Team Final Report and its Recommendations. The > >goal of the Whois Review Team was “Contactibility” and > >“Reachability” of the Registrant. To this end WHOIS Policy Review > >Team Final Report looked “holistically” at the Whois record and > >did not seek the accuracy of each and every element of a > >Registrant’s Whois record. > > > > > >Specifically, the NORC Report of 2009/2010 (an earlier report > >called the NORC Data Accuracy Study) created five categories for > >ranking the data quality of a Whois record: *Full Failure* > >(overwhelmingly inaccurate); *Substantial Failure* (most data > >inaccurate); *Limited Failure* (data to some degree present and > >considered useful); *Minimal Failure* (may benefit from additional > >information, but data provided is accurate) and *No Failure *(data > >complete and accurate). > > > >*/ > >The Whois Review Team called for ICANN to significantly reduce the > >number of “Full Failure” and “Substantial Failure” Whois Records > >--- Avoidance of “No Failure” was not a goal at all./*As shared > >many times in meetings of the Whois Review Team and members of the > >ICANN Community, including the GAC, what the WHOIS Review Team > >recommended was that Whois information be sufficiently available > >and accurate for the Registrant to be reached –for legitimate > >technical, administrative and other questions: [Recommendation] > >“*6. ICANN shouldtakeappropriatemeasurestoreduce thenumberofWHOIS > >registrationsthatfallintotheaccuracygroupsSubstantial Failureand > >Full Failure(asdefinedbytheNORCDataAccuracyStudy,2009/10)by50%within12months > >andby50%againoverthefollowing12months.*” > > > > > >Thus, for the Whois Review Team, “No Failure” (full accuracy of > >all fields) was */not the goal/*;“contactability” and > >“reachability” of Registrants was. > > > > > > B. 2013 Registrar Accreditation Agreement > > > > > >The WHOIS Review Team Final Report noted that efforts were already > >underway to improve accuracy and contactibility of Registrants in > >the then-pending “direct negotiations with Registrars on revisions > >to the RAA.” These negotiations resulted in the 2013 RAA which > >furthered the goal of reaching Registrants through verified phone > >numbers and email addresses: > > > >1.f : “Verify: > > > >i.the email address of the Registered Name Holder (and, if > >different, the Account Holder) by sending an email requiring an > >affirmative response through a tool-based authentication method > >such as providing a unique code that must be returned in a manner > >designated by the Registrar, or > > > >ii.the telephone number of the Registered Name Holder (and, if > >different, the Account Holder) by either (A) calling or sending an > >SMS to the Registered Name Holder's telephone number providing a > >unique code that must be returned in a manner designated by the > >Registrar, or (B) calling the Registered Name Holder's telephone > >number and requiring the Registered Name Holder to provide a > >unique code that was sent to the Registered Name Holder via web, > >email or postal mail. > > > >As with the Final Report of the Whois Review Team, the goal of the > >2013 RAA was “contactability” and “reachability” of the domain > >name Registrant for technical or administrative questions by third > >parties. > > > >C.Where Did the “No Failure” Standard Come From for NORC – the > >Validation and Verification of Each and Every Whois Element > >Without Policy Processes or Assessments of the Risks and Harms? > > > >Consistent with the Whois Review Team Final Report and the 2013 > >RAA, we can understand the NORC methodology and approach to > >checking email addresses and telephone numbers – but postal > >address validation?Where is the underlying GNSO Policy driving > >this direction to NORC from ICANN Staff? > > > >*/Where is the assessment of the risks and benefits of updating > >the physical addresses of hundreds of millions of political, > >personal, religious, ethnic and sexual speakers – including > >dissidents, minorities and those discriminated against by the laws > >and customs of various regions?/*Where is NORC evaluating the > >wholesale and massive verification of postal address in the > >existing gTLD WHOIS databases without such an assessment?How did > >ICANN Staff come to direct it? > > > > > >The NORC Contractor seems to have jumped from the logical – > >checking email and phone – to checking physical addresses. But > >this leap from an open and undecided policy question to a mere > >implementation issue should be disturbing to everyone in the ICANN > >Community. What we know from history and the most tragic of recent > >events is that speech and physical location are a dangerous > >combination. > > > > > >When individuals armed with automatic rifles wish to express their > >disagreement with the legal speech of a satirical magazine, they > >find the location in Parisand kill writers, publishers and > >cartoonists. When they want to express contempt for those > >practicing another religion, they bring their guns to kosher > >grocery stores in Parisand synagogues in Copenhagen. Tracking down > >and beheading Christian minorities is a horror of daily life in > >some parts of the world. > > > > > >The UN Declaration of Human Rights, adopted in 1948, states: > > > > * Everyone has the right to freedom of opinion and expression; this > > right includes freedom to hold opinions without interference and > > to seek, receive and impart information and ideas through any > > media and regardless of frontiers. > > > > > >It does not say that everyone must put their address on that > >speech. Where, as here, the Internet has become the major path of > >communication for that speech, the requirement of a physical > >address for every speaker may well violate the requirement of the > >right to speak and the protection for that expression. > > > > > >Further, the validation of postal addresses represents a major > >change of policy – one not mandated or requested by the Whois > >Review Team, the 2013 RAA or by any Policy-Development Team we > >know of. > > > >Who has evaluated the impact and dangers of wholesale adoption of > >postal address validation of the long-existing gTLD Whois > >databases– especially in a world that has changed dramatically in > >the last few years – where entire governments have risen and > >fallen, where formerly free countries and regions are enslaved by > >terrorist organizations and a new set of dictators? While > >proxy/privacy registrations are available, */they are a costly > >luxury for many and completely unknown to others/*. > > > > > >The mandatory validation of the massive number of postal addresses > >in the gTLD Whois database – as appears to be the policy proposal > >buried between methodology and sample sizes in the Contractor’s > >report -- will result in the dangerous, harmful, even > >life-threatening exposure of those using their domain names for > >nothing more than communicating their ideas, concerns, political > >hopes, and religious meetings via private streams of domain name > >communications, such as on listservs and email addresses, and more > >public resources including websites and blogs. > > > > > >No policy we know has ever directed ICANN Staff to instruct a > >Contractor to engage in massive Postal Address Validation – and no > >policy development process we know has studied, weighed, debated > >or valued the enormous impact to speech and expression of going > >back over 25+ years of domain names registrations to suddenly > >“correct” the postal address and thereby expose battered women’s > >shelters, women’s schools in Pakistan, pro-democracy groups, > >family planning groups and LBGQT locations worldwide. > > > > > >If this is the policy we in ICANN choose to adopt in the future > >(as we certainly have NOT adopted it already), then it will > >require enormous amounts of preparation, notice and warning to > >gTLD domain name > >registrants on a global scale. Absent that, we know (without doubt > >or hyperbole) that ICANN will have blood on its hands. > > > >Overall, ICANN’s Contractor NORC seems to have jumped into > >policy-making, not mere implementation. > > > >* > >II. ****Identity Validation – Really? * > > > > > >Buried deep in Appendix B, of the Contractor’s Report, behind > >“syntactic accuracy” and “operational accuracy” is the explosive > >issue of “exploring accuracy from an identity perspective” (page > >45). > > > >At no time has ICANN ever held a Policy Development Processes on > >Identity Validation. Accordingly, where does this guidance from > >ICANN to its Contractor to explore identity validation > >implementation come from?For those who attended the public Whois > >meeting in LA, this issue certainly was not flagged in the > >discussion; for those who attended the public meeting in > >Singapore, this issue was introduced and IMMEDIATELY FLAGGED as > >intensely controversial and divisive. > > > > > >Identity validation of those engaged in freedom of expression, > >publishing and political discussion is a deeply controversial > >prospect – and one with heartfelt objection and opposition > >grounded in history and law. The United States, for example, > >sought to be free of Englandin part because of the mandatory > >licensing of its printing presses – and the arrest of all who > >published objections to actions of the English crown. Pamphlets > >issued without names and addresses are not just a cultural right > >in the US, but a constitutional one./McIntyre vs. > >//Ohio//Elections Commission, 514 //U.S.//334 (US Supreme Court, > >1995). / > > > > > >A.The GAC asked for a weighing of the risks and benefits > > > >We note that the GAC has not issued policy in this area. According > >to the “Brief Overview” provided by ICANN as introduction to this > >Contractor Report and this public comment period, the GAC “asked > >for an assessment of the feasibility, costs and benefits of > >conducting identity validation as part of the development of the > >ARS.” > > > > > >Nowhere in this report do we see any assessment of the costs, > >delays, risks and harms that might be incurred by gTLD > >Registrants, Registrars and Registries worldwide if identity > >validation were adopted. Nowhere do we even see an analysis of how > >identity validation takes places, what happens when a minority > >seeks to register, or when a speaker must disclose and show her > >identification as the cost of signing up for a domain name > >highlighting family planning, women rights, or women’s education > >in parts of the world not as conducive to these fundamental rights > >and basic principles. Must she go through her father for this too? > > > > > >B.ICANN has promised a policy making process. > > > >In his response to the GAC on this issue, Dr. Crocker noted concerns: > > > >The costs of operating the Accuracy Reporting System are largely dependent > > > >upon the number of WHOIS records to be examined, as well as the level of > > > >validation (syntactic, operational, or identity). For example, the initial > > > >responses to the ICANN RFP reveal that identity validation > >services are both > > > >costly and difficult to administer on a global basis. */There may > >also be data/* > > > >*/protection and privacy issues of concern to the community when > >conducting/* > > > >*/extensive identity validation on WHOIS records./*Hence, the costs of > > > >completing the development of Phase 3 will be determined based on > > > >engagement with the community to identify the appropriate level of > >identity > > > >validation for ICANN to conduct, as well as the costs associated with > > > >performing identity validation on a global scale. (https://www.icann.org/en/system/files/correspondence/crocker-to-dryden-02sep14-en.pdf, > >emphasis added.) > > > > > >As always, policy development must proceed implementation. We call > >on ICANN to take this discussion out of the recesses of a > >Contractor report, and into the light of the policy development > >process. > > > >* > > III**. Wide Outreach Needed* > > > >One thing the Whois Review Team did note in its Final Review is > >the need for clear and concerted outreach on issues that impact > >the Whois: “We found great interest in the WHOIS policy among a > >number of groups that do not traditionally participate in ICANN’s > >more technical proceedings. They include the law enforcement > >community, Data Protection Commissioners, and the privacy > >community more generally.”The Whois Review Team’s recommendation > >specifically call for active and concerted outreach to these > >communities of its issue: > > > >*/Recommendation 3 - Outreach /* > > > >ICANN should ensure that WHOIS policy issues are accompanied by > >cross-community outreach, including outreach to the communities > >outside of ICANN with a specific interest in the issues, and an > >ongoing program for consumer awareness. > > > > > >That has clearly not happened here – when so much of substance is > >buried so deeply in the back of a report. When will ICANN be > >undertaking clear, robust global Outreach on these important > >freedom of expression and privacy issues and implications? > > > >* > >IV.**Finally, let’s Add Policy Staff and Freedom of Expression and > >Data Protection Expertise* > > > >We ask that an ICANN Staff deeply steeped in data protection and > >freedom of expression laws and rights be brought on to work on the > >development of these address and identity issues. We understand > >that ICANN feels previous backgrounds of its staffers do not limit > >their activities, but the perception and reality of this issue > >would be considered much more balanced if the ICANN Staffers of > >the project hailed from an array of backgrounds and had > >represented multiple sides of this issue in their prior lives. > > > >* > >V.**Conclusion* > > > >We can’t bury wholesale physical address checking and the new > >concept of identity validation in the back of a Contractor Report. > >These are NOT policies examined or endorsed by the whole of the > >ICANN or even the GNSO communities, nor policies evaluated yet by > >the whole of the ICANN Community. The risks and benefits must be > >assessed before the implementation is planned. > > > > > >Signed, > > > > > >MEMBERS OF THE NONCOMMERCIALS STAKEHOLDERS GROUP > >[name, and/or organization, and/or country] > > >