The GNSO was asked to make recommendations on what studies could or should be done to ultimately allow some progress on the Whois issue. Public input was requested on the types of studies that could be done, and this list was merged with the GAC request to the Board on Whois studies. We are now at the stage where GNSO constituencies have prioritized the various studies (or groups of studies) so that ICANN staff can begin to evaluate the feasibility and cost of such studies. The GNSO is scheduled to hold a vote on the issue in Mexico City. Although not a formal Constituency, the ALAC was asked to rate prioritize the studies also. A working group was convened. The volunteers were Alan Greenberg, Cheryl Langdon-Orr, Beau Brendler, Carlton Samuels, Danny Younger, Seith Reiss, Sylvia Caras and Gareth Shearman. Beau volunteered to evaluate the studies from a user and consumer point of view. Most of the WG participants felt that we should give the studies ratings, although there view was expressed by some that we should follow the RrC and NCUC example (see below). The attached spreadsheet gives the various studies/groups, a brief description or hypothesis (some less brief than others), the priority rating that Beau assigned and the priorities of the GNSO constituencies. Note that two Constituencies, the Registrar and Non-Commercial Users, rated all studies at zero. For the Registrars, the reasons were: "The RrC continues to maintain that no studies should be pursued. We have over six years of history on this topic. It was clear through those years that the stakeholder groups were entrenched in their views and positions and there is no evidence or any other indication that any of these studies will change that." The NCUC also felt that there was no point in any further studies. Following the individual ratings are the averages. I have calculated the averages both before and after the ALAC input, and also both including and excluding the RrC and NCUC. By comparing the before and after ALAC averages, you can see how our input will impact the process. By excluding the RrC and NCUC, we can see how our priorities compared to those set by the other groups that went through the exercise. On the average, I have highlighted those with an average of greater than 2.5 (studies were given ratings from 0 to 5). Without the ALAC, 6 studies were above the threshold and are scheduled to be recommended for further ICANN staff action. With the ALAC ratings, two additional studies are above the threshold. If the threshold is raised just a bit, we would have no change in the overall outcome (even though a few of our ratings are quite different from the others that gave non-zero ratings). I understand that this is not a particularly understandable table, but I am at a loss as to how to make it easier without making it much larger. For those who want to understand more about what the studies are looking at, see http://gnso.icann.org/issues/whois/whois-study-hypothesis-group-report-to-co.... The current plan from the WG is to submit this to the GNSO for inclusion in their deliberations. I am not sure if Cheryl is planning to schedule a formal ALAC vote on this, but will leave that up to her. Beau did review his rationale for the priorities during the last conference call, and I will post the location of the MP3 as soon as I get it. If someone has specific questions, I am sure he will try to answer them. Alan
Thanks Alan and others for your hard work on this. On reading the end results of these calculations, I would tend to agree with the NCUC and the registrars that those studies are a waste of time and money. This is not only because we already have a lot of history and studies. This is mostly because, IMHO, we are taking the problem from the wrong end. To state it simply, it is not about what the ICANN community would _like_ to achieve, it is what the community is _able_ to achieve in the real world. The fact gathering about the legal context applying to privacy is paramount in this context. It rated pretty low in the list, so it will most probably not be studied. Too bad, because we may end up with ICANN policies that some registrars may not be able to abide to, due to their local legal requirements, in effect distorting the market in favour of those registrars located in countries where there are little or no privacy laws. Patrick On Thu, 19 Feb 2009 02:03:25 -0500, Alan Greenberg <alan.greenberg@mcgill.ca> wrote:
The GNSO was asked to make recommendations on what studies could or should be done to ultimately allow some progress on the Whois issue.
Public input was requested on the types of studies that could be done, and this list was merged with the GAC request to the Board on Whois studies.
We are now at the stage where GNSO constituencies have prioritized the various studies (or groups of studies) so that ICANN staff can begin to evaluate the feasibility and cost of such studies. The GNSO is scheduled to hold a vote on the issue in Mexico City.
Although not a formal Constituency, the ALAC was asked to rate prioritize the studies also.
A working group was convened. The volunteers were Alan Greenberg, Cheryl Langdon-Orr, Beau Brendler, Carlton Samuels, Danny Younger, Seith Reiss, Sylvia Caras and Gareth Shearman.
Beau volunteered to evaluate the studies from a user and consumer point of view. Most of the WG participants felt that we should give the studies ratings, although there view was expressed by some that we should follow the RrC and NCUC example (see below).
The attached spreadsheet gives the various studies/groups, a brief description or hypothesis (some less brief than others), the priority rating that Beau assigned and the priorities of the GNSO constituencies. Note that two Constituencies, the Registrar and Non-Commercial Users, rated all studies at zero. For the Registrars, the reasons were: "The RrC continues to maintain that no studies should be pursued. We have over six years of history on this topic. It was clear through those years that the stakeholder groups were entrenched in their views and positions and there is no evidence or any other indication that any of these studies will change that." The NCUC also felt that there was no point in any further studies.
Following the individual ratings are the averages. I have calculated the averages both before and after the ALAC input, and also both including and excluding the RrC and NCUC. By comparing the before and after ALAC averages, you can see how our input will impact the process. By excluding the RrC and NCUC, we can see how our priorities compared to those set by the other groups that went through the exercise.
On the average, I have highlighted those with an average of greater than 2.5 (studies were given ratings from 0 to 5). Without the ALAC, 6 studies were above the threshold and are scheduled to be recommended for further ICANN staff action. With the ALAC ratings, two additional studies are above the threshold. If the threshold is raised just a bit, we would have no change in the overall outcome (even though a few of our ratings are quite different from the others that gave non-zero ratings).
I understand that this is not a particularly understandable table, but I am at a loss as to how to make it easier without making it much larger. For those who want to understand more about what the studies are looking at, see
http://gnso.icann.org/issues/whois/whois-study-hypothesis-group-report-to-co....
The current plan from the WG is to submit this to the GNSO for inclusion in their deliberations. I am not sure if Cheryl is planning to schedule a formal ALAC vote on this, but will leave that up to her.
Beau did review his rationale for the priorities during the last conference call, and I will post the location of the MP3 as soon as I get it.
If someone has specific questions, I am sure he will try to answer them.
Alan
Thanks Alan and others for your hard work on this.
To state it simply, it is not about what the ICANN community would _like_ to achieve, it is what the community is _able_ to achieve in the real world. The fact gathering about the legal context applying to privacy is paramount in this context. It rated pretty low in the list, so it will most probably not be studied. Too bad, because we may end up with ICANN policies that some registrars may not be able to abide to, due to their local legal requirements, in effect distorting the market in favour of those registrars located in countries where there are little or no privacy laws.
Patrick I disagree. Though many countries have privacy protections not provided by the USA, I suspect that those countries will allow disclosure when a party agrees to that disclosure, by contract.
I disagree. Though many countries have privacy protections not provided by the USA, I suspect that those countries will allow disclosure when a party agrees to that disclosure, by contract.
Maybe I'm missing something here, but the issue is what happens when the party does *not* agree. In some countries you cannot force them to agree, therefore the problem about different competitive advantage for registrars. Cheers, Roberto ____________ Virus checked by G DATA AntiVirus Version: AVF 19.227 from 19.01.2009 Virus news: www.antiviruslab.com
Roberto Gaetano wrote: To begin - it is really good to see your name on an email again. I trust you are doing well.
I disagree. Though many countries have privacy protections not provided by the USA, I suspect that those countries will allow disclosure when a party agrees to that disclosure, by contract.
Maybe I'm missing something here, but the issue is what happens when the party does *not* agree. In some countries you cannot force them to agree, therefore the problem about different competitive advantage for registrars.
This is far from an easy point. There is in US contract law the idea of a "contract of adhesion" - the most typical example is when you drive into a parking lot and a machine ejects a bit of cardboard on which are printed purported terms and conditions. Are you bound by those or not? Suffice it to say that the answer to that question probably varies from jurisdiction to jurisdiction around the world. And since the Whois issue spans the world, I'm sure that local answers will vary. One aspect that may influence those answers is the fact that there is really no practical alternative to ICANN's whois regime. (Well, there are the ccTLDs and that perhaps weakens the entire thought that follows.) One may argue that because of ICANN's all-enveloping coverage and also the fact that ICANN's UDRP and whois policies were made without much (or any) power of the public at large to affect those policies, that the privacy-breaking aspects of whois should be interpreted in a narrow or weak (i.e. protective of privacy) way. I have long suggested that any one who makes an inquiry into the whois data should be obligated to leave an electric "calling card" record that informs the data subject of the name, identity, affiliation, contact information, and asserted reason for making the inquiry. It seems only fair that if Mr. X is asking about you that you should be able to know who Mr. X is and why he's looking you up. --karl--
Karl Auerbach wrote:
....
I have long suggested that any one who makes an inquiry into the whois data should be obligated to leave an electric "calling card" record that informs the data subject of the name, identity, affiliation, contact information, and asserted reason for making the inquiry. It seems only fair that if Mr. X is asking about you that you should be able to know who Mr. X is and why he's looking you up.
--karl--
We have a perfect world vs a real world scenario here. In theory the answer would be yes of course. In reality it may not be a good idea. We have three points of contact - the address for postal mail, the email address and the email address. If the postal address is used, be ready for a wave of complaints from the USA, also to a lesser extent Europe, that people are named in domain registrations for domains they never knew existed, some do not even known what a domain is. Of course the suggested may be accompanied by a message that if you do not known anything about this domain, please report it which would be great. The mileage on the telephone number may vary. International forwarding numbers from the UK to untraceable destinations are very popular. Likewise untraceable cellphones. Email addresses are a definite bad idea. I will explain: Right now we have a class of registrant that will register domains for nefarious purposes such as spamming, phishing, money mule websites etc. It is common knowledge (I believe so at least, but easily provable), that these registrants do not supply their real details. Remember, criminals love anonymity. In the process the registrant details are populated with details obtained from the internet, as the result of phishing attempts, stolen databases or other security breaches etc. The extent of this problem is rapidly escalating. Using the telephone or email contact details will simply alert a criminal that somebody is researching his activities. If Joe queried domain A registered to registrant X, domain B registered to Y, domain C registered to Z and X, Y and Z is the same person in real life using these domains for illegal purposes and he became aware of Joe querying his domains, he will disappear very fast or even retaliate is he could trace Joe (and he could most likely not use nice legal methods either). In theory in the perfect world, this party querying the whois would be a law enforcement agency. Real life dictates it will most likely be not be. I will not delve into the challenges the victims of cyber-criminals face. However, a postal mail would be a great idea - if the real X, Y or Z in the example above denies knowledge of the domain, the domain should be canceled. Of course once again the postage costs would be prohibitive and may form the basis of a DDoS attack for registrars and legitimate registrants (proxies, botnets etc), so this is also a bad idea. Currently the whois data entering the system is not verified or where it does take place, it is not really conclusive, that is the problem. Before the bogus whois issue is somehow fixed (while protecting innocent registrants), we cannot try and fix the other problems this causes. So reality dictates I have to disagree. Regards Derek
Derek Smythe wrote:
I have long suggested that any one who makes an inquiry into the whois data should be obligated to leave an electric "calling card" record that informs the data subject of the name, identity...
We have a perfect world vs a real world scenario here.
In theory the answer would be yes of course. In reality it may not be a good idea.
While the objections you raise are valid, it seems to me that the easier answer is to say that if someone tries to make an inquiry of the whois system and who is unable himself/herself to provide an easily authenticated identification, then the query should be flatly denied (although a record of the attempt should be kept so that the data subject can see how many times a failed assult on his/her privacy has been made.) How might one be authenticated? One place is the already existing bulk whois system in which real money has been handed over - ICANN could keep a list of those people and with a bit of extra stuff (something akin to the CSV on the back of a credit card) list could be used to authenticate whois queriers. Other places could be a set of digital keys - like the ever expanding interlocking ring of PGP/GPG keys. Then there could be the slowly growing (some may say stagnating) reputation services. The burden of proving an authentic ID ought to fall upon the person making the query; we ought not to sacrifice privacy on the altar of the querier's convenience. If the querier can't meet that burden then he/she should be sent packing, which is an aptly ironic result considering that the querier was most trying to penetrate the identity of the domain name. --karl--
Well done to the discussants of this topic. The idea of leaving "e-calling card" behind sounds to me like a demand to cause chaos - its like asking everybody shout out, "Hi there!, I can see you!" allthe way down a busy street. The demand for electronic calling card (or electric card as it has been refered to) is a protocol that borders to be a burden. It is like asking for a signature from every reader in a book they have read in public library. If "WhoIs" this as an open, transparent , global system whereby none of the local (ie. individual country Laws/Regulations ) apply but only ICANN By-Laws, why should a demand such a Right be there in the first place? Is it a matter of "Protocol and Protection on the Internet" and by who? Lets not be submerged into technical and profit issues at the expense of Social Responsibiliy Y Mshana (neutral user)
Date: Fri, 20 Feb 2009 16:01:39 -0800 From: karl@cavebear.com To: at-large@atlarge-lists.icann.org; derek@aa419.org Subject: Re: [At-Large] [ALAC] WHOIS Studies
Derek Smythe wrote:
I have long suggested that any one who makes an inquiry into the whois data should be obligated to leave an electric "calling card" record that informs the data subject of the name, identity...
We have a perfect world vs a real world scenario here.
In theory the answer would be yes of course. In reality it may not be a good idea.
While the objections you raise are valid, it seems to me that the easier answer is to say that if someone tries to make an inquiry of the whois system and who is unable himself/herself to provide an easily authenticated identification, then the query should be flatly denied (although a record of the attempt should be kept so that the data subject can see how many times a failed assult on his/her privacy has been made.)
How might one be authenticated? One place is the already existing bulk whois system in which real money has been handed over - ICANN could keep a list of those people and with a bit of extra stuff (something akin to the CSV on the back of a credit card) list could be used to authenticate whois queriers.
Other places could be a set of digital keys - like the ever expanding interlocking ring of PGP/GPG keys.
Then there could be the slowly growing (some may say stagnating) reputation services.
The burden of proving an authentic ID ought to fall upon the person making the query; we ought not to sacrifice privacy on the altar of the querier's convenience.
If the querier can't meet that burden then he/she should be sent packing, which is an aptly ironic result considering that the querier was most trying to penetrate the identity of the domain name.
--karl--
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org http://atlarge-lists.icann.org/mailman/listinfo/at-large_atlarge-lists.icann...
At-Large Official Site: http://atlarge.icann.org
_________________________________________________________________ Drag n’ drop—Get easy photo sharing with Windows Live™ Photos. http://www.microsoft.com/windows/windowslive/products/photos.aspx
participants (7)
-
Alan Greenberg -
Bill Silverstein -
Derek Smythe -
Karl Auerbach -
Patrick Vande Walle -
Roberto Gaetano -
Yassin Mshana