[bc-gnso] Additional info for Whois Studies discussion at 1-Apr GNSO Council Meeting

Thu Apr 1 13:13:10 UTC 2010

Mike and Zahid -- I predict you will encounter resistance today to the Study
on Whois Misuse ($150K).  If I were there, I would offer this:

Milton Mueller, Robin Gross and the NCUC had for years claimed that people
suffered harm and harassment BECAUSE their data was displayed in Whois.   It
was just an assertion with no data support, but it was their main argument
against Whois.

That¹s why I suggested study #1 and Claudio of INTA suggested studies 14 and
15.   We wanted some data to know if significant harm comes from Whois.
It¹s probable that a few harassment cases came from Whois but I am confident
it won¹t be material or significant, and we can show that there are other
sources where email addresses could be obtained.   (See below for what Liz
Gasster and Lorrie Cranor had to say about the misuse studies)

I¹ve already mentioned the AoC review of Whois that¹s coming next year.
And then there¹s the GAC.  In their Whois letter
(http://www.icann.org/correspondence/karlins-to-thrush-16apr08.pdf)  the GAC
explicitly calls for misuse data:

> The goal should be to initially compile data that provides a documented
> evidence base regarding: ...  the types and extent of misuses of WHOIS data
> and what harm is caused by each type of misuse, including economic, use of
> WHOIS data in SPAM generation, abuse of personal data, loss of reputation or
> identity theft, security costs and loss of data.

There¹s a lesson I learned during the Microsoft case:  ³Don¹t moon the
giant.²   This study is $150K out of a $70M annual budget and that¹s a small
price to pay to avoid mooning the giants of GAC and USG.

Just my two cents.
--Steve

Below is the early analysis from the esteemed Lorrie Cranor of ATT and W3C.
Lorrie concluded it might be helpful though she thought it would be
inexpensive.

> WHOIS misuse studies
> Four proposals (suggestions #1, #14, #15 and #21) suggest that ICANN study
> misuse of WHOIS data to determine the connection, if any, between WHOIS and
> illegal activities. These studies will help establish the extent and nature of
> problems caused by unprotected WHOIS data.
>> Study Suggestion Number 1: (DelBianco)  1) Gather data on WHOIS misuse from
>> consumer protection bureaus and other entities who maintain data on misuse
>> incidents reported by registrants and 2) survey a random sample of
>> registrants in each gTLD and selected ccTLDs.
>> Study Suggestion Number 14: (INTA)  Create a set of new email addresses, use
>> half of them to register domain names, and monitor all for spam for 90 days
>> to determine how much WHOIS information contributes to spam.
>> Study Suggestion Number 15: (INTA) Create a set of new email addresses, use
>> them to register new domain names at registrars that allow and disallow port
>> 43 WHOIS queries, and monitor all for spam to determine the extent to which
>> port 43 WHOIS queries contribute to spam.
>> Study Suggestion Number 21: (Kleiman) Survey registrars and human rights
>> organizations to determine how WHOIS is being used in ways that seem to have
>> no bearing on the security and stability of the DNS.
> 
> 1 and 21 propose to survey registrars and other parties who may keep records
> of misuse incidents. 1 also proposes a survey of registrants. These proposed
> studies may shed some light on the extent and type of misuse of WHOIS data.
> However, it will be difficult to gather representative data as not all cases
> of abuse are reported. In addition, it is not always possible to confirm that
> misused data was obtained from WHOIS, as this information may be available
> form other sources. A registrant survey is likely to receive disproportionate
> responses from registrants who believe their WHOIS information has been
> abused. Nonetheless, the above studies may result in useful qualitative data
> about the nature of misuse and provide a rough quantitative estimate of the
> extent of misuse. Surveying those who already keep track of abuse incidents is
> likely to be a relatively low- cost approach. The registrant study is likely
> to be more expensive if done on a large scale, and seems less likely to result
> in useful data.
> 
> 14 and 15 focus specifically on spam and propose studies in which new email
> addresses are created and used to register domains to determine how much WHOIS
> information contributes to spam. 15 compares the amount of spam received as a
> result of registering a domain at registrars that allow and prohibit port 43
> WHOIS queries. These studies should results in fairly accurate quantitative
> data. However, 14 is quite similar to the October 2007 SSAC study ³Is the
> WHOIS service a source for email addresses for spammers?² and would not likely
> contribute new information. If port 43 queries are of interest from a policy
> perspective, study 15 should provide reliable data to inform that discussion.

On 3/31/10 5:43 PM, "Steve DelBianco" <sdelbianco at netchoice.org> wrote:

> Mike & Zahid -- 
> 
> You asked for some BC membership views on the Whois studies that will be
> discussed at your Council meeting tomorrow (1-Apr).  See below and attachment.
> Hope this helps.
> 
> Your agenda shows potential actions on Whois studies:
>> 3.4.1 Review and assess cost and feasibility estimates for the studies
>> 3.4.2 Decide whether to pursue any of the studies and, if so, which ones
>> 3.4.3 Provide input into the FY11 budget process
>> 3.5 How should we accomplish the above?
>> €    Should we form a drafting team to develop recommendations for
>> consideration in our next meeting?
>> €    Note that a final budget has to be finished by 17 May and there are
>> currently no funds budgeted for Whois Studies
> 
> My recommendations:
> 
> Let¹s proceed with the Misuse and Registrant Identification studies.
> 
>> The Misuse and Registrant ID studies are likely to generate data that would
>> affect policy decisions and compliance work.  These 2 studies are not going
>> to stop the long-standing disagreements between passionate parties on either
>> side, but that¹s not the point of doing studies.   Remember the debate over
>> domain tasting?  Fact-based data on the number of deletes with the AGP were
>> astounding, and helped us enact a policy change.  The data did not make
>> everyone agree on whether domain tasting was harmful.  But facts showed a
>> hugely prevalent use of AGP that was outside its original purpose, and that
>> moved us to a new consensus policy.
>> 
>> We¹ll certainly use study data when setting policy and compliance standards,
>> especially with so many new TLD operators coming online next year.
>> 
>> Moreover, the Affirmation of Commitments (9.3.1) requires ICANN to ³organize
>> a review of WHOIS policy and its implementation to assess the extent to which
>> WHOIS policy is effective and its implementation meets the legitimate needs
>> of law enforcement and promotes consumer trust².  The Misuse and Registrant
>> data studies will be essential for that review.
>> 
>> We will also want to have these study results on hand so they can be compared
>> with study results after new TLDs are operating for one year, as required by
>> the Affirmation of Commitments item 9.3
> 
> 
> Let¹s go right to the core issue of Money.  Consider this discussion that
> happened during Council meeting in Nairobi:
>> Liz Gasster described some study proposals as "expensive" and then Stefane
>> and Wolf commented on the costs and budget constraints.
>> 
>> I intervened to say that the lack of fact-based studies has itself been very
>> expensive over several years of time & travel on the part of dozens of
>> community members.   Those costs will continue unless/until we have facts at
>> hand to make policy decisions.
>> 
>> Marilyn made a similar point about need for fact-based analysis.
>> 
>> Bruce Tonkin recommended that Council budget a lump sum for studies, then
>> decide how to spend it.  Don't budget each specific study, he said.
>> 
>> I believe Bruce Tonkin is right.  Council should ask for a budget of $XXX,XXX
>> in FY 2011 for a general category of Whois studies.   Since we need a budget
>> number now, I¹d say $360,000, to cover the misuse and registrant studies
>> ($150K each) plus a 20% contingency.
>> 
> Next steps: I would ask staff to begin negotiating with the two Œsuperior¹
> bidders on detailed workplan for their studies.  Staff should start by asking
> bidders to review:
>> 
>> The 4-Mar-2009 Council resolution on Whois studies, including the original
>> rationale for each hypothesis, etc.
>> 
>> The Affirmation of Commitments, items 9.3 and 9.3.1
>> 
>> Staff should also show the bidders any Whois-related items in the Draft
>> Applicant Guidebook.
>> 
>> Superior Bidders can then prepare detailed study workplans that policy staff
>> can analyze and present to Council later this year.
> 
> 
> Note:  The Staff report (page 7) mentions the Whois Accuracy report, and asks
> whether ³barriers to accuracy² provide useful insights to policy.
>> 
>> I would answer, ³Accuracy is something we aspire to; whereas inaccuracy is a
>> contract compliance problem.²
>> 
>> Let¹s set high aspirations to require accurate Whois data for registrants,
>> even if we know that lots of data is inaccurate today. After all, registrars
>> manage to gather credit card information that¹s sufficiently accurate to
>> ensure they get paid.   Let¹s find ways to ensure they apply the same
>> diligence in collecting and validating public Whois data.
>> 
>> (Note: Susan Kawaguchi of Facebook volunteered to draft BC comments on Whois
>> Accuracy report.  Those aren¹t due until 15-Apr)
> 
> Whois Studies Reports and resources:
>> https://st.icann.org/gnso-council/index.cgi?whois_discussion#
>> http://gnso.icann.org/issues/whois/whois-studies-report-for-gnso-23mar10-en.p
>> df
>> Presentation Slides:
>> 
http://gnso.icann.org/correspondence/whois-studies-presentation-01apr10-en.pd>>
f

-- 
Steve DelBianco
Executive Director
NetChoice
http://www.NetChoice.org and http://blog.netchoice.org
+1.202.420.7482 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/bc-gnso/attachments/20100401/d164da96/attachment.html>