[bc-gnso] Additional info for Whois Studies discussion at 1-AprGNSO Council Meeting

Marilyn Cade marilynscade at hotmail.com
Thu Apr 1 14:14:05 UTC 2010 

While I support Steve's "thesis", I wouldn't refer to the GAC, who has worked productively with business and law enforcement as "giants", however. 

I do support that policy has to be supported by informed data /research and these studies should receive the funding needed. The amount proposed is indeed small compared to the overall budget and will jelp to inform policy making. 

I would have suggested a higher amount for the initial authorized budget-- but getting two studies authorized for this budget year is a start on the right direction. 

WHOIS is important to all Business users, and for more than trademark collision issues. 

The delay in undertaking the studies is already a serious challenge since further understanding of existing issues is important to also inform the new gTLD and IDN programs. 


Sent via BlackBerry by AT&T

-----Original Message-----
From: Steve DelBianco <sdelbianco at netchoice.org>
Date: Thu, 1 Apr 2010 13:13:10 
To: <zahid at jamilandjamil.com>; <icann at rodenbaugh.com>
Cc: <bc-gnso at icann.org>
Subject: [bc-gnso] Additional info for Whois Studies discussion at 1-Apr
 GNSO Council Meeting

Mike and Zahid -- I predict you will encounter resistance today to the Study on Whois Misuse ($150K).  If I were there, I would offer this:
 
 Milton Mueller, Robin Gross and the NCUC had for years claimed that people suffered harm and harassment BECAUSE their data was displayed in Whois.   It was just an assertion with no data support, but it was their main argument against Whois.
 
 That's why I suggested study #1 and Claudio of INTA suggested studies 14 and 15.   We wanted some data to know if significant harm comes from Whois.  It's probable that a few harassment cases came from Whois but I am confident it won't be material or significant, and we can show that there are other sources where email addresses could be obtained.   (See below for what Liz Gasster and Lorrie Cranor had to say about the misuse studies)
 
 I've already mentioned the AoC review of Whois that's coming next year.   And then there's the GAC.  In their Whois letter (http://www.icann.org/correspondence/karlins-to-thrush-16apr08.pdf)  the GAC explicitly calls for misuse data:
 
 The goal should be to initially compile data that provides a documented evidence base regarding: ...  the types and extent of misuses of WHOIS data and what harm is caused by each type of misuse, including economic, use of WHOIS data in SPAM generation, abuse of personal data, loss of reputation or identity theft, security costs and loss of data.
 
 There's a lesson I learned during the Microsoft case:  "Don't moon the giant."   This study is $150K out of a $70M annual budget and that's a small price to pay to avoid mooning the giants of GAC and USG.
 
 Just my two cents.
 --Steve
 
 
 Below is the early analysis from the esteemed Lorrie Cranor of ATT and W3C.  Lorrie concluded it might be helpful though she thought it would be inexpensive.
 
 WHOIS misuse studies
 Four proposals (suggestions #1, #14, #15 and #21) suggest that ICANN study misuse of WHOIS data to determine the connection, if any, between WHOIS and illegal activities. These studies will help establish the extent and nature of problems caused by unprotected WHOIS data.
 Study Suggestion Number 1: (DelBianco)  1) Gather data on WHOIS misuse from consumer protection bureaus and other entities who maintain data on misuse incidents reported by registrants and 2) survey a random sample of registrants in each gTLD and selected ccTLDs.
 Study Suggestion Number 14: (INTA)  Create a set of new email addresses, use half of them to register domain names, and monitor all for spam for 90 days to determine how much WHOIS information contributes to spam.
 Study Suggestion Number 15: (INTA) Create a set of new email addresses, use them to register new domain names at registrars that allow and disallow port 43 WHOIS queries, and monitor all for spam to determine the extent to which port 43 WHOIS queries contribute to spam.
 Study Suggestion Number 21: (Kleiman) Survey registrars and human rights organizations to determine how WHOIS is being used in ways that seem to have no bearing on the security and stability of the DNS.
 
 1 and 21 propose to survey registrars and other parties who may keep records of misuse incidents. 1 also proposes a survey of registrants. These proposed studies may shed some light on the extent and type of misuse of WHOIS data. However, it will be difficult to gather representative data as not all cases of abuse are reported. In addition, it is not always possible to confirm that misused data was obtained from WHOIS, as this information may be available form other sources. A registrant survey is likely to receive disproportionate responses from registrants who believe their WHOIS information has been abused. Nonetheless, the above studies may result in useful qualitative data about the nature of misuse and provide a rough quantitative estimate of the extent of misuse. Surveying those who already keep track of abuse incidents is likely to be a relatively low- cost approach. The registrant study is likely to be more expensive if done on a large scale, and seems less likely to result in useful data.
 
 14 and 15 focus specifically on spam and propose studies in which new email addresses are created and used to register domains to determine how much WHOIS information contributes to spam. 15 compares the amount of spam received as a result of registering a domain at registrars that allow and prohibit port 43 WHOIS queries. These studies should results in fairly accurate quantitative data. However, 14 is quite similar to the October 2007 SSAC study "Is the WHOIS service a source for email addresses for spammers?" and would not likely contribute new information. If port 43 queries are of interest from a policy perspective, study 15 should provide reliable data to inform that discussion.
 
 
 
 On 3/31/10 5:43 PM, "Steve DelBianco" <sdelbianco at netchoice.org> wrote:
 
 Mike & Zahid -- 
 
 You asked for some BC membership views on the Whois studies that will be discussed at your Council meeting tomorrow (1-Apr).  See below and attachment.   Hope this helps.
 
 Your agenda shows potential actions on Whois studies:
 3.4.1 Review and assess cost and feasibility estimates for the studies
 3.4.2 Decide whether to pursue any of the studies and, if so, which ones
 3.4.3 Provide input into the FY11 budget process
 3.5 How should we accomplish the above?
 .    Should we form a drafting team to develop recommendations for consideration in our next meeting?
 .    Note that a final budget has to be finished by 17 May and there are currently no funds budgeted for Whois Studies
 
 My recommendations:
 
 Let's proceed with the Misuse and Registrant Identification studies.  
 
 The Misuse and Registrant ID studies are likely to generate data that would affect policy decisions and compliance work.  These 2 studies are not going to stop the long-standing disagreements between passionate parties on either side, but that's not the point of doing studies.   Remember the debate over domain tasting?  Fact-based data on the number of deletes with the AGP were astounding, and helped us enact a policy change.  The data did not make everyone agree on whether domain tasting was harmful.  But facts showed a hugely prevalent use of AGP that was outside its original purpose, and that moved us to a new consensus policy.
 
 We'll certainly use study data when setting policy and compliance standards, especially with so many new TLD operators coming online next year.  
 
 Moreover, the Affirmation of Commitments (9.3.1) requires ICANN to "organize a review of WHOIS policy and its implementation to assess the extent to which WHOIS policy is effective and its implementation meets the legitimate needs of law enforcement and promotes consumer trust".  The Misuse and Registrant data studies will be essential for that review.
 
 We will also want to have these study results on hand so they can be compared with study results after new TLDs are operating for one year, as required by the Affirmation of Commitments item 9.3 
 
 
 Let's go right to the core issue of Money.  Consider this discussion that happened during Council meeting in Nairobi:
 Liz Gasster described some study proposals as "expensive" and then Stefane and Wolf commented on the costs and budget constraints.   
 
 I intervened to say that the lack of fact-based studies has itself been very expensive over several years of time & travel on the part of dozens of community members.   Those costs will continue unless/until we have facts at hand to make policy decisions.
 
 Marilyn made a similar point about need for fact-based analysis.    
 
 Bruce Tonkin recommended that Council budget a lump sum for studies, then decide how to spend it.  Don't budget each specific study, he said.
 
 I believe Bruce Tonkin is right.  Council should ask for a budget of $XXX,XXX in FY 2011 for a general category of Whois studies.   Since we need a budget number now, I'd say $360,000, to cover the misuse and registrant studies ($150K each) plus a 20% contingency.  
 
 Next steps: I would ask staff to begin negotiating with the two 'superior' bidders on detailed workplan for their studies.  Staff should start by asking bidders to review:
 
 The 4-Mar-2009 Council resolution on Whois studies, including the original rationale for each hypothesis, etc.   
 
 The Affirmation of Commitments, items 9.3 and 9.3.1
 
 Staff should also show the bidders any Whois-related items in the Draft Applicant Guidebook.
 
 Superior Bidders can then prepare detailed study workplans that policy staff can analyze and present to Council later this year. 
 
 
 Note:  The Staff report (page 7) mentions the Whois Accuracy report, and asks whether "barriers to accuracy" provide useful insights to policy.  
 
 I would answer, "Accuracy is something we aspire to; whereas inaccuracy is a contract compliance problem."    
 
 Let's set high aspirations to require accurate Whois data for registrants, even if we know that lots of data is inaccurate today. After all, registrars manage to gather credit card information that's sufficiently accurate to ensure they get paid.   Let's find ways to ensure they apply the same diligence in collecting and validating public Whois data.
 
 (Note: Susan Kawaguchi of Facebook volunteered to draft BC comments on Whois Accuracy report.  Those aren't due until 15-Apr)   
 
 Whois Studies Reports and resources: 
 https://st.icann.org/gnso-council/index.cgi?whois_discussion#
 http://gnso.icann.org/issues/whois/whois-studies-report-for-gnso-23mar10-en.pdf
 Presentation Slides: http://gnso.icann.org/correspondence/whois-studies-presentation-01apr10-en.pdf
 
 -- 
 Steve DelBianco
 Executive Director
 NetChoice
 http://www.NetChoice.org and http://blog.netchoice.org 
 +1.202.420.7482

More information about the Bc-gnso mailing list