Dear All,
Attached please find an important set of comments. They are to the
Whois Accuracy Pilot Study Report – by a group of researchers at
the University of Chicago called NORC. Buried in this report turns
out to be a many issues important to us in the Whois domain name
registration databases – including the question of postal
addresses (should we be validating and publishing the physical
addresses of political dissident groups, religious minorities,
girls’ schools in areas where many do not like girls education?Is
there a danger to be evaluated *before* we undertake this new
policy?)
Identity Validation is a very open question as well, yet NORC
seems ready to start work in this area. I have written a set of
questions that say STOP – and let’s consider the policy
implications of these acts before we develop plans to put them
into effect. The comments are below (with a full copy attached).
*They are due tonight!If you can sign on, please do. Please let me
know your name and/or organization and/or country.*
**
Great tx to Stephanie Perrin for editing! Here are some thoughts
of members on our Policy Committee:
-Kathy’s drafted, what I believe to be, an excellent comment in
response. – Amr Elsadr
-Great job Kathy!! I support this document. -- Stephanie Perrin
-Feel free to add my name as endorsing the document – Ed Morris
Best and tx!!
Kathy (Kleiman)
*
WHOIS Accuracy Pilot Study Report*
Burying Extremely Divisive Policy Questions in a Technical
Implementation Report Written by an ICANN Contractor is Improper
and, in this Case, Dangerous
These are comments written in response to the WHOIS Accuracy Pilot
Study Report. Buried in this Report – which purports to be an
implementation report of an ICANN Contractor (NORC/University of
Chicago) -- are some of the most controversial and unsettled
issues in ICANN policy discussions and history. These issues are
the subject of deep and bitter divides over many years of ICANN
work, the subject of interest across the world, and the focus of a
series of explosive comments in Singaporewhen the ICANN Community
began to realize what was happening.
It is inappropriate in the extreme, for ICANN policy issues to be
buried in a ICANN Contractor’s implementation report, and even
further, deep in its Appendix B,/Next Steps for the Development of
the WHOIS Accuracy Report System (ARS). /This follows pages of
study “methods and approach” language and sample design which are
obscure even to those who follow Whois policy issues on a regular
basis.We submit that after the many years of heated controversy
over this topic, it is disingenuous at the very least to allow
this to happen policy debate to continue its development in this
manner.
We are deeply concerned that ICANN Staff has not flagged this
Report, or this Comment Proceeding, for what it appears to be – a
process to seek permission from the ICANN Community for the:
a)*wholesale checking of the physical addresses of online speakers
across the world (whether using domain names for political speech,
personal speech, or religious, ethnic or sexual minority
expression)*thus creating an unprecedented inextricable link
between a speaker and her physical location, and
b)*the**radical new concept of Identity Validation for each and
every domain name Registrant to the ICANN Community, *a concept
with inconceivable implications for political, ethnic and
religious minorities worldwide, as well as entrepreneurs, emerging
organizations and those operating today without identities who
seek to create them.
We respectfully add the issues below to this debate.
*I.**ICANN has never been given a mandate for Address Checking on
a Massive Scale*
Although the Contractor’s Report seems to suggest that the ICANN
Community has approved the massive checking of postal addresses in
the existing gTLD Whois databases, that is not the case.
A.The Whois Review Team Final Report set the standard of
“contactability” -- reaching the domain name registrant with
questions and concerns – not absolute accuracy of all data in the
whois
The Current NORC Study (2014) and its accompanying ICANN Staff
Summary accompanying this NORC’s Pilot Report misrepresent the
WHOIS Policy Review Team Final Report and its Recommendations. The
goal of the Whois Review Team was “Contactibility” and
“Reachability” of the Registrant. To this end WHOIS Policy Review
Team Final Report looked “holistically” at the Whois record and
did not seek the accuracy of each and every element of a
Registrant’s Whois record.
Specifically, the NORC Report of 2009/2010 (an earlier report
called the NORC Data Accuracy Study) created five categories for
ranking the data quality of a Whois record: *Full Failure*
(overwhelmingly inaccurate); *Substantial Failure* (most data
inaccurate); *Limited Failure* (data to some degree present and
considered useful); *Minimal Failure* (may benefit from additional
information, but data provided is accurate) and *No Failure *(data
complete and accurate).
*/
The Whois Review Team called for ICANN to significantly reduce the
number of “Full Failure” and “Substantial Failure” Whois Records
--- Avoidance of “No Failure” was not a goal at all./*As shared
many times in meetings of the Whois Review Team and members of the
ICANN Community, including the GAC, what the WHOIS Review Team
recommended was that Whois information be sufficiently available
and accurate for the Registrant to be reached –for legitimate
technical, administrative and other questions: [Recommendation]
“*6. ICANN shouldtakeappropriatemeasurestoreduce thenumberofWHOIS
registrationsthatfallintotheaccuracygroupsSubstantial Failureand
Full Failure(asdefinedbytheNORCDataAccuracyStudy,2009/10)by50%within12months
andby50%againoverthefollowing12months.*”
Thus, for the Whois Review Team, “No Failure” (full accuracy of
all fields) was */not the goal/*;“contactability” and
“reachability” of Registrants was.
B. 2013 Registrar Accreditation Agreement
The WHOIS Review Team Final Report noted that efforts were already
underway to improve accuracy and contactibility of Registrants in
the then-pending “direct negotiations with Registrars on revisions
to the RAA.” These negotiations resulted in the 2013 RAA which
furthered the goal of reaching Registrants through verified phone
numbers and email addresses:
1.f : “Verify:
i.the email address of the Registered Name Holder (and, if
different, the Account Holder) by sending an email requiring an
affirmative response through a tool-based authentication method
such as providing a unique code that must be returned in a manner
designated by the Registrar, or
ii.the telephone number of the Registered Name Holder (and, if
different, the Account Holder) by either (A) calling or sending an
SMS to the Registered Name Holder's telephone number providing a
unique code that must be returned in a manner designated by the
Registrar, or (B) calling the Registered Name Holder's telephone
number and requiring the Registered Name Holder to provide a
unique code that was sent to the Registered Name Holder via web,
email or postal mail.
As with the Final Report of the Whois Review Team, the goal of the
2013 RAA was “contactability” and “reachability” of the domain
name Registrant for technical or administrative questions by third
parties.
C.Where Did the “No Failure” Standard Come From for NORC – the
Validation and Verification of Each and Every Whois Element
Without Policy Processes or Assessments of the Risks and Harms?
Consistent with the Whois Review Team Final Report and the 2013
RAA, we can understand the NORC methodology and approach to
checking email addresses and telephone numbers – but postal
address validation?Where is the underlying GNSO Policy driving
this direction to NORC from ICANN Staff?
*/Where is the assessment of the risks and benefits of updating
the physical addresses of hundreds of millions of political,
personal, religious, ethnic and sexual speakers – including
dissidents, minorities and those discriminated against by the laws
and customs of various regions?/*Where is NORC evaluating the
wholesale and massive verification of postal address in the
existing gTLD WHOIS databases without such an assessment?How did
ICANN Staff come to direct it?
The NORC Contractor seems to have jumped from the logical –
checking email and phone – to checking physical addresses. But
this leap from an open and undecided policy question to a mere
implementation issue should be disturbing to everyone in the ICANN
Community. What we know from history and the most tragic of recent
events is that speech and physical location are a dangerous
combination.
When individuals armed with automatic rifles wish to express their
disagreement with the legal speech of a satirical magazine, they
find the location in Parisand kill writers, publishers and
cartoonists. When they want to express contempt for those
practicing another religion, they bring their guns to kosher
grocery stores in Parisand synagogues in Copenhagen. Tracking down
and beheading Christian minorities is a horror of daily life in
some parts of the world.
The UN Declaration of Human Rights, adopted in 1948, states:
* Everyone has the right to freedom of opinion and expression; this
right includes freedom to hold opinions without interference and
to seek, receive and impart information and ideas through any
media and regardless of frontiers.
It does not say that everyone must put their address on that
speech. Where, as here, the Internet has become the major path of
communication for that speech, the requirement of a physical
address for every speaker may well violate the requirement of the
right to speak and the protection for that expression.
Further, the validation of postal addresses represents a major
change of policy – one not mandated or requested by the Whois
Review Team, the 2013 RAA or by any Policy-Development Team we
know of.
Who has evaluated the impact and dangers of wholesale adoption of
postal address validation of the long-existing gTLD Whois
databases– especially in a world that has changed dramatically in
the last few years – where entire governments have risen and
fallen, where formerly free countries and regions are enslaved by
terrorist organizations and a new set of dictators? While
proxy/privacy registrations are available, */they are a costly
luxury for many and completely unknown to others/*.
The mandatory validation of the massive number of postal addresses
in the gTLD Whois database – as appears to be the policy proposal
buried between methodology and sample sizes in the Contractor’s
report -- will result in the dangerous, harmful, even
life-threatening exposure of those using their domain names for
nothing more than communicating their ideas, concerns, political
hopes, and religious meetings via private streams of domain name
communications, such as on listservs and email addresses, and more
public resources including websites and blogs.
No policy we know has ever directed ICANN Staff to instruct a
Contractor to engage in massive Postal Address Validation – and no
policy development process we know has studied, weighed, debated
or valued the enormous impact to speech and expression of going
back over 25+ years of domain names registrations to suddenly
“correct” the postal address and thereby expose battered women’s
shelters, women’s schools in Pakistan, pro-democracy groups,
family planning groups and LBGQT locations worldwide.
If this is the policy we in ICANN choose to adopt in the future
(as we certainly have NOT adopted it already), then it will
require enormous amounts of preparation, notice and warning to
gTLD domain name
registrants on a global scale. Absent that, we know (without doubt
or hyperbole) that ICANN will have blood on its hands.
Overall, ICANN’s Contractor NORC seems to have jumped into
policy-making, not mere implementation.
*
II. ****Identity Validation – Really? *
Buried deep in Appendix B, of the Contractor’s Report, behind
“syntactic accuracy” and “operational accuracy” is the explosive
issue of “exploring accuracy from an identity perspective” (page
45).
At no time has ICANN ever held a Policy Development Processes on
Identity Validation. Accordingly, where does this guidance from
ICANN to its Contractor to explore identity validation
implementation come from?For those who attended the public Whois
meeting in LA, this issue certainly was not flagged in the
discussion; for those who attended the public meeting in
Singapore, this issue was introduced and IMMEDIATELY FLAGGED as
intensely controversial and divisive.
Identity validation of those engaged in freedom of expression,
publishing and political discussion is a deeply controversial
prospect – and one with heartfelt objection and opposition
grounded in history and law. The United States, for example,
sought to be free of Englandin part because of the mandatory
licensing of its printing presses – and the arrest of all who
published objections to actions of the English crown. Pamphlets
issued without names and addresses are not just a cultural right
in the US, but a constitutional one./McIntyre vs.
//Ohio//Elections Commission, 514 //U.S.//334 (US Supreme Court,
1995). /
A.The GAC asked for a weighing of the risks and benefits
We note that the GAC has not issued policy in this area. According
to the “Brief Overview” provided by ICANN as introduction to this
Contractor Report and this public comment period, the GAC “asked
for an assessment of the feasibility, costs and benefits of
conducting identity validation as part of the development of the
ARS.”
Nowhere in this report do we see any assessment of the costs,
delays, risks and harms that might be incurred by gTLD
Registrants, Registrars and Registries worldwide if identity
validation were adopted. Nowhere do we even see an analysis of how
identity validation takes places, what happens when a minority
seeks to register, or when a speaker must disclose and show her
identification as the cost of signing up for a domain name
highlighting family planning, women rights, or women’s education
in parts of the world not as conducive to these fundamental rights
and basic principles. Must she go through her father for this too?
B.ICANN has promised a policy making process.
In his response to the GAC on this issue, Dr. Crocker noted concerns:
The costs of operating the Accuracy Reporting System are largely dependent
upon the number of WHOIS records to be examined, as well as the level of
validation (syntactic, operational, or identity). For example, the initial
responses to the ICANN RFP reveal that identity validation
services are both
costly and difficult to administer on a global basis. */There may
also be data/*
*/protection and privacy issues of concern to the community when
conducting/*
*/extensive identity validation on WHOIS records./*Hence, the costs of
completing the development of Phase 3 will be determined based on
engagement with the community to identify the appropriate level of
identity
validation for ICANN to conduct, as well as the costs associated with
performing identity validation on a global scale. (https://www.icann.org/en/system/files/correspondence/crocker-to-dryden-02sep14-en.pdf,
emphasis added.)
As always, policy development must proceed implementation. We call
on ICANN to take this discussion out of the recesses of a
Contractor report, and into the light of the policy development
process.
*
III**. Wide Outreach Needed*
One thing the Whois Review Team did note in its Final Review is
the need for clear and concerted outreach on issues that impact
the Whois: “We found great interest in the WHOIS policy among a
number of groups that do not traditionally participate in ICANN’s
more technical proceedings. They include the law enforcement
community, Data Protection Commissioners, and the privacy
community more generally.”The Whois Review Team’s recommendation
specifically call for active and concerted outreach to these
communities of its issue:
*/Recommendation 3 - Outreach /*
ICANN should ensure that WHOIS policy issues are accompanied by
cross-community outreach, including outreach to the communities
outside of ICANN with a specific interest in the issues, and an
ongoing program for consumer awareness.
That has clearly not happened here – when so much of substance is
buried so deeply in the back of a report. When will ICANN be
undertaking clear, robust global Outreach on these important
freedom of expression and privacy issues and implications?
*
IV.**Finally, let’s Add Policy Staff and Freedom of Expression and
Data Protection Expertise*
We ask that an ICANN Staff deeply steeped in data protection and
freedom of expression laws and rights be brought on to work on the
development of these address and identity issues. We understand
that ICANN feels previous backgrounds of its staffers do not limit
their activities, but the perception and reality of this issue
would be considered much more balanced if the ICANN Staffers of
the project hailed from an array of backgrounds and had
represented multiple sides of this issue in their prior lives.
*
V.**Conclusion*
We can’t bury wholesale physical address checking and the new
concept of identity validation in the back of a Contractor Report.
These are NOT policies examined or endorsed by the whole of the
ICANN or even the GNSO communities, nor policies evaluated yet by
the whole of the ICANN Community. The risks and benefits must be
assessed before the implementation is planned.
Signed,
MEMBERS OF THE NONCOMMERCIALS STAKEHOLDERS GROUP
[name, and/or organization, and/or country]