<HTML>
<HEAD>
<TITLE>Additional info for Whois Studies discussion at 1-Apr GNSO Council Meeting</TITLE>
</HEAD>
<BODY>
<FONT FACE="Optima, Times New Roman"><SPAN STYLE='font-size:10pt'>Mike and Zahid -- I predict you will encounter resistance today to the Study on Whois Misuse ($150K). If I were there, I would offer this:<BR>
<BR>
Milton Mueller, Robin Gross and the NCUC had for years claimed that people suffered harm and harassment BECAUSE their data was displayed in Whois. It was just an assertion with no data support, but it was their main argument against Whois.<BR>
<BR>
That’s why I suggested study #1 and Claudio of INTA suggested studies 14 and 15. We wanted some data to know if significant harm comes from Whois. It’s probable that a few harassment cases came from Whois but I am confident it won’t be material or significant, and we can show that there are other sources where email addresses could be obtained. (See below for what Liz Gasster and Lorrie Cranor had to say about the misuse studies)<BR>
<BR>
I’ve already mentioned the AoC review of Whois that’s coming next year. And then there’s the GAC. In their Whois letter (<FONT COLOR="#0000FF"><U><a href="http://www.icann.org/correspondence/karlins-to-thrush-16apr08.pdf">http://www.icann.org/correspondence/karlins-to-thrush-16apr08.pdf</a></U></FONT>) the GAC explicitly calls for misuse data:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT SIZE="2"><FONT FACE="Times New Roman"><SPAN STYLE='font-size:9pt'>The goal should be to initially compile data that provides a documented evidence base regarding: ...</SPAN></FONT><SPAN STYLE='font-size:9pt'><FONT FACE="Helvetica, Verdana, Arial"> </FONT><FONT FACE="Times New Roman">the types and extent of misuses of WHOIS data and what harm is caused by each type of misuse, including economic, use of WHOIS data in SPAM generation, abuse of personal data, loss of reputation or identity theft, security costs and loss of data.<BR>
</FONT></SPAN></FONT></BLOCKQUOTE><FONT FACE="Optima, Times New Roman"><SPAN STYLE='font-size:10pt'><BR>
There’s a lesson I learned during the Microsoft case: “<B>Don’t moon the giant</B>.” This study is $150K out of a $70M annual budget and that’s a small price to pay to avoid mooning the giants of GAC and USG.<BR>
<BR>
Just my two cents.<BR>
--Steve<BR>
<BR>
<BR>
Below is the early analysis from the esteemed Lorrie Cranor of ATT and W3C. Lorrie concluded it might be helpful though she thought it would be inexpensive.<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><SPAN STYLE='font-size:10pt'><FONT FACE="Times New Roman Bold">WHOIS misuse studies<BR>
</FONT><FONT FACE="Times New Roman">Four proposals (suggestions #1, #14, #15 and #21) suggest that ICANN study misuse of WHOIS data to determine the connection, if any, between WHOIS and illegal activities. These studies will help establish the extent and nature of problems caused by unprotected WHOIS data.<BR>
</FONT></SPAN><BLOCKQUOTE><SPAN STYLE='font-size:10pt'><FONT FACE="Times New Roman Bold">Study Suggestion Number 1: (DelBianco) </FONT><FONT FACE="Times New Roman">1) Gather data on WHOIS misuse from consumer protection bureaus and other entities who maintain data on misuse incidents reported by registrants and 2) survey a random sample of registrants in each gTLD and selected ccTLDs.<BR>
</FONT><FONT FACE="Times New Roman Bold">Study Suggestion Number 14: (INTA) </FONT><FONT FACE="Times New Roman">Create a set of new email addresses, use half of them to register domain names, and monitor all for spam for 90 days to determine how much WHOIS information contributes to spam.<BR>
</FONT><FONT FACE="Times New Roman Bold">Study Suggestion Number 15: (INTA) </FONT><FONT FACE="Times New Roman">Create a set of new email addresses, use them to register new domain names at registrars that allow and disallow port 43 WHOIS queries, and monitor all for spam to determine the extent to which port 43 WHOIS queries contribute to spam.<BR>
</FONT><FONT FACE="Times New Roman Bold">Study Suggestion Number 21: (Kleiman) </FONT><FONT FACE="Times New Roman">Survey registrars and human rights organizations to determine how WHOIS is being used in ways that seem to have no bearing on the security and stability of the DNS.<BR>
</FONT></SPAN></BLOCKQUOTE><SPAN STYLE='font-size:10pt'><FONT FACE="Times New Roman"><BR>
1 and 21 propose to survey registrars and other parties who may keep records of misuse incidents. 1 also proposes a survey of registrants. These proposed studies may shed some light on the extent and type of misuse of WHOIS data. However, it will be difficult to gather representative data as not all cases of abuse are reported. In addition, it is not always possible to confirm that misused data was obtained from WHOIS, as this information may be available form other sources. A registrant survey is likely to receive disproportionate responses from registrants who believe their WHOIS information has been abused. <FONT COLOR="#0000FE"><B>Nonetheless, the above studies may result in useful qualitative data about the nature of misuse and provide a rough quantitative estimate of the extent of misuse. Surveying those who already keep track of abuse incidents is likely to be a relatively low- cost approach.</B></FONT><B> </B>The registrant study is likely to be more expensive if done on a large scale, and seems less likely to result in useful data.<BR>
<BR>
14 and 15 focus specifically on spam and propose studies in which new email addresses are created and used to register domains to determine how much WHOIS information contributes to spam. 15 compares the amount of spam received as a result of registering a domain at registrars that allow and prohibit port 43 WHOIS queries. These studies should results in fairly accurate quantitative data. However, 14 is quite similar to the October 2007 SSAC study “Is the WHOIS service a source for email addresses for spammers?” and would not likely contribute new information. If port 43 queries are of interest from a policy perspective, study 15 should provide reliable data to inform that discussion.<BR>
</FONT></SPAN></BLOCKQUOTE><SPAN STYLE='font-size:10pt'><FONT FACE="Optima, Times New Roman"><BR>
<BR>
<BR>
On 3/31/10 5:43 PM, "Steve DelBianco" <<a href="sdelbianco@netchoice.org">sdelbianco@netchoice.org</a>> wrote:<BR>
<BR>
</FONT></SPAN><BLOCKQUOTE><FONT FACE="Optima, Times New Roman"><FONT SIZE="4"><SPAN STYLE='font-size:11pt'>Mike & Zahid -- <BR>
<BR>
You asked for some BC membership views on the Whois studies that will be discussed at your Council meeting tomorrow (1-Apr). See below and attachment. Hope this helps.<BR>
<BR>
Your agenda shows potential actions on Whois studies:<BR>
</SPAN></FONT></FONT><BLOCKQUOTE><FONT FACE="Optima, Times New Roman"><FONT SIZE="4"><SPAN STYLE='font-size:11pt'>3.4.1 Review and assess cost and feasibility estimates for the studies<BR>
3.4.2 Decide whether to pursue any of the studies and, if so, which ones<BR>
3.4.3 Provide input into the FY11 budget process<BR>
3.5 How should we accomplish the above?<BR>
• Should we form a drafting team to develop recommendations for consideration in our next meeting?<BR>
• Note that a final budget has to be finished by 17 May and there are currently no funds budgeted for Whois Studies<BR>
</SPAN></FONT></FONT></BLOCKQUOTE><FONT FACE="Optima, Times New Roman"><FONT SIZE="4"><SPAN STYLE='font-size:11pt'><BR>
My recommendations:<BR>
<BR>
<FONT COLOR="#0000FF"><B>Let’s proceed with the Misuse and Registrant Identification studies. <BR>
</B></FONT><BR>
</SPAN></FONT></FONT><BLOCKQUOTE><FONT FACE="Optima, Times New Roman"><FONT SIZE="4"><SPAN STYLE='font-size:11pt'>The Misuse and Registrant ID studies are likely to generate data that <U>would </U>affect policy decisions and compliance work. These 2 studies are not going to stop the long-standing disagreements between passionate parties on either side, but that’s not the point of doing studies. Remember the debate over domain tasting? Fact-based data on the number of deletes with the AGP were astounding, and helped us enact a policy change. The data did not make everyone agree on whether domain tasting was harmful. But facts showed a hugely prevalent use of AGP that was outside its original purpose, and that moved us to a new consensus policy.<BR>
<BR>
We’ll certainly use study data when setting policy and compliance standards, especially with so many new TLD operators coming online next year. <BR>
<BR>
Moreover, the Affirmation of Commitments (9.3.1) requires ICANN to </SPAN></FONT></FONT><FONT FACE="Arial"><SPAN STYLE='font-size:10pt'>“organize a review of WHOIS policy and its implementation to assess the extent to which WHOIS policy is effective and its implementation meets the legitimate needs of law enforcement and promotes consumer trust”. The Misuse and Registrant data studies will be essential for that review.<BR>
</SPAN></FONT><FONT SIZE="4"><FONT FACE="Optima, Times New Roman"><SPAN STYLE='font-size:11pt'><BR>
We will also want to have these study results on hand so they can be compared with study results after new TLDs are operating for one year, as required by the Affirmation of Commitments item 9.3 <BR>
</SPAN></FONT></FONT></BLOCKQUOTE><FONT SIZE="4"><FONT FACE="Optima, Times New Roman"><SPAN STYLE='font-size:11pt'><BR>
<BR>
Let’s go right to the core issue of Money. Consider this discussion that happened during Council meeting in Nairobi:<BR>
</SPAN></FONT></FONT><BLOCKQUOTE><FONT SIZE="4"><FONT FACE="Optima, Times New Roman"><SPAN STYLE='font-size:11pt'>Liz Gasster described some study proposals as "expensive" and then Stefane and Wolf commented on the costs and budget constraints. <BR>
<BR>
I intervened to say that the lack of fact-based studies has itself been very expensive over several years of time & travel on the part of dozens of community members. Those costs will continue unless/until we have facts at hand to make policy decisions.<BR>
<BR>
Marilyn made a similar point about need for fact-based analysis. <BR>
<BR>
Bruce Tonkin recommended that Council budget a lump sum for studies, then decide how to spend it. Don't budget each specific study, he said.<BR>
<BR>
I <FONT COLOR="#0000FF">believe Bruce Tonkin is right. Council should ask for a budget of $XXX,XXX in FY 2011 for a general category of Whois studies. Since we need a budget number now, I’d say $360,000, to cover the misuse and registrant studies ($150K each) plus a 20% contingency. <BR>
</FONT><BR>
</SPAN></FONT></FONT></BLOCKQUOTE><FONT SIZE="4"><FONT FACE="Optima, Times New Roman"><SPAN STYLE='font-size:11pt'>Next steps: I would ask staff to begin negotiating with the two ‘superior’ bidders on detailed workplan for their studies. Staff should start by asking bidders to review:<BR>
</SPAN></FONT></FONT><BLOCKQUOTE><FONT SIZE="4"><FONT FACE="Optima, Times New Roman"><SPAN STYLE='font-size:11pt'><BR>
The 4-Mar-2009 Council resolution on Whois studies, including the original rationale for each hypothesis, etc. <BR>
<BR>
The Affirmation of Commitments, items 9.3 and 9.3.1<BR>
<BR>
Staff should also show the bidders any Whois-related items in the Draft Applicant Guidebook.<BR>
<BR>
Superior Bidders can then prepare detailed study workplans that policy staff can analyze and present to Council later this year. <BR>
</SPAN></FONT></FONT></BLOCKQUOTE><FONT SIZE="4"><FONT FACE="Optima, Times New Roman"><SPAN STYLE='font-size:11pt'><BR>
<BR>
Note: The Staff report (page 7) mentions the Whois Accuracy report, and asks whether “barriers to accuracy” provide useful insights to policy. <BR>
</SPAN></FONT></FONT><BLOCKQUOTE><FONT SIZE="4"><FONT FACE="Optima, Times New Roman"><SPAN STYLE='font-size:11pt'><BR>
I would answer, “Accuracy is something we aspire to; whereas inaccuracy is a contract compliance problem.” <BR>
<BR>
Let’s set high aspirations to require accurate Whois data for registrants, even if we know that lots of data is inaccurate today. After all, registrars manage to gather credit card information that’s sufficiently accurate to ensure they get paid. Let’s find ways to ensure they apply the same diligence in collecting and validating public Whois data.<BR>
<BR>
(Note: Susan Kawaguchi of Facebook volunteered to draft BC comments on Whois Accuracy report. Those aren’t due until 15-Apr) <BR>
</SPAN></FONT></FONT></BLOCKQUOTE><FONT SIZE="4"><FONT FACE="Optima, Times New Roman"><SPAN STYLE='font-size:11pt'><BR>
Whois Studies Reports and resources: <BR>
</SPAN></FONT></FONT><BLOCKQUOTE><FONT SIZE="4"><FONT FACE="Optima, Times New Roman"><SPAN STYLE='font-size:11pt'><U><a href="https://st.icann.org/gnso-council/index.cgi?whois_discussion">https://st.icann.org/gnso-council/index.cgi?whois_discussion</a></U>#<BR>
<U><a href="http://gnso.icann.org/issues/whois/whois-studies-report-for-gnso-23mar10-en.p">http://gnso.icann.org/issues/whois/whois-studies-report-for-gnso-23mar10-en.p</a></U>df<BR>
Presentation Sli<U>des: <a href="http://gnso.icann.org/correspondence/whois-studies-presentation-01apr10-en">http://gnso.icann.org/correspondence/whois-studies-presentation-01apr10-en</a></U>.pdf<BR>
</SPAN></FONT></FONT></BLOCKQUOTE></BLOCKQUOTE><FONT SIZE="4"><FONT FACE="Optima, Times New Roman"><SPAN STYLE='font-size:11pt'><BR>
</SPAN></FONT></FONT><FONT FACE="Optima, Times New Roman"><SPAN STYLE='font-size:10pt'>-- <BR>
Steve DelBianco<BR>
Executive Director<BR>
NetChoice<BR>
<a href="http://www.NetChoice.org">http://www.NetChoice.org</a> and <a href="http://blog.netchoice.org">http://blog.netchoice.org</a> <BR>
+1.202.420.7482 <BR>
<BR>
</SPAN></FONT>
</BODY>
</HTML>