Welcome to your regularly scheduled TACO stats blog! In the lead-up to ICANN82 in Seattle, we’re thinking about ICANN’s Registration Data Request Service (RDRS). Tucows has been a participant in the RDRS pilot project since its launch at the end of 2023, and we’ve written about it in past blogs. For those unfamiliar with the project, the RDRS is ICANN’s central intake point for registration data disclosure requests, through which they’re directed to the appropriate registrar.

Misdirected disclosure requests

Over the past year and a bit of participation in the RDRS, we have seen an increasing rate of misdirected requests:

Misdirected requests often come from domain registrants looking to verify or manage their registration data, asking for help with renewals or other aspects of their services, or attempting to contact their resellers. We also receive third-party requests where people ask us to disclose registration data for domains that are not registered with Tucows Domains (Ascio, Enom, EPAG, and OpenSRS) and domain purchase offers, which should instead be sent directly to the domain owner.

In our in-house TACO system, misdirected requests are easily redirected during triage; the requests all remain within our ticketing system and can be easily reassigned among teams. This happens seamlessly, with the effect that the registrant (or other requestor) will get the answer they need even if they submit the request in the wrong place. In addition, personal data stays with us—the registrar—without having to involve a third party (like ICANN).


In the RDRS, however, misdirected requests cannot be easily reassigned and, instead, the request must be tracked as “denied.” These cases—primarily registrants looking for help—are not what the RDRS is intended for. They cause a significantly decreased customer experience, fill up the RDRS queue, and skew ICANN’s publicly reported metrics with invalid requests. Importantly, these misdirected requests also result in a third party (ICANN) holding personal and business-confidential data it should not have.

Tucows’ ongoing participation in RDRS

We have participated in the RDRS pilot program since its launch because we support the policy development process that led to the creation of the RDRS as a data-gathering exercise. We believe that our participation over the past fourteen months has helped achieve this goal.

The RDRS was intended to gather data for two years or until enough data had been gathered to inform the ICANN Board’s decision about building a full Standardized System for Access and Disclosure (SSAD). The RDRS Standing Committee is now drafting their report, which will discuss trends in system usage, review technical updates that have been completed and recommend others that should be considered, and document lessons learned. Perhaps most importantly, the report will put forward suggestions to the GNSO Council as to what they might recommend to the ICANN Board in relation to the Board’s consideration of the EPDP Phase 2 Working Group’s SSAD recommendations.

Given that the RDRS Standing Committee has enough data to complete its report, as well as the customer experience challenges and data privacy concerns we’ve outlined above, Tucows Domains has decided to end our participation in the RDRS.

Requestors can of course continue to use our TACO service, and those who prefer to do so can still create their request within the RDRS and then export it for submission through TACO. Registrants can continue to use our support portals and email addresses to contact us for help. This will ensure a better customer experience while also enhancing security and data protection, enabling us to deliver quicker response times to both data requestors and registrants looking for help.

Our dedication to the multistakeholder model and to the ICANN process remains strong and we will continue to support the Community’s RDRS work by representing Registrars on the RDRS Standing Committee and in other policy areas.

Cost recovery in TACO

We want to be crystal clear about something: Tucows never sells personal data and does not disclose personal data in exchange for money. Billing for TACO has always been an attempt to defray the costs of operating the TACO system and reviewing all submissions for sufficiency and legal basis. A privacy attorney reviews each request—however it is received— individually on its merits, to ensure a legal basis exists for the disclosure of personal registrant data. 

We waive fees for single-use requestors and local law enforcement; we typically also waive fees for foreign law enforcement. We always consider—and will continue to consider—requests for fee waivers. To clarify this, we have adjusted the terms available on the TACO website.

This billing model is similar to what the ICANN Community proposed for the eventual Standardized System for Access and Disclosure; EPDP Phase 2 Recommendation 14 states that “Requestors of the SSAD data should primarily bear the costs of maintaining this system” and “running of the system is expected to happen on a cost recovery basis.” 

The RDRS itself was developed specifically to support clarification of the long-term cost of operating the SSAD, as the Operational Design Assessment for the SSAD was unable to determine a final cost due to lack of data about the expected volume of requests. Domain Incite has done some calculations that we consider to be instructive in this regard. They determined that the RDRS per-lookup cost was in the neighborhood of $3,000 USD. While TACO is somewhat leaner, our fees do not reflect the full cost of development and maintenance of the system nor the regular waiver of fees and the ongoing cost of human review. Balancing cost-recovery with accessibility for necessary purposes is difficult, as Domain Incite’s article underscores. We hope we have found a reasonable balance in our implementation and continue to work with requestors to ensure this. We welcome feedback.

But that’s probably not what you came here for! Let’s turn to the disclosure request rates and results for our most recent reporting period: September through December 2024. 

Tiered Access Statistics: 1 September – 31 December 2024

We received 217 requests in this period, bringing the total since we began tracking it up to 6216.

Of those 217 requests, 118 (55%) came in through RDRS, while the remaining 99 (45%) were submitted to us directly through TACO. 

That said, 20% of those 118 RDRS requests were misdirected. If we remove those, it brings our rates to 94 through RDRS and 99 through TACO. It’s important to note that the misdirected requests received through the RDRS are still categorized as “denied,” and the charts below reflect this.

Data disclosure request outcomes: new period (September – December 2024)

Data disclosure request outcomes: overall

Although we don’t always include this chart, we thought it would be informative to share the disclosure request outcomes since we began operating the TACO system: 

Requests by requestor category

Requests by category: new period (September – December 2024)

Requests by category since 2018

Requests by category (total)

Abandoned requests by requestor category (September – December 2024)

LEA request locations

Our map of requestor locations hasn’t changed since the last post, as we did not receive requests from any new countries in this reporting period.

We continue to receive the bulk of our LEA requests from outside our local jurisdictions, both overall and in the new reporting period:

LEA request origin (local vs foreign) – overall

LEA request origin (local vs foreign) – new period

Local LEA request breakdown (overall)

Total requests over time

To read our past Tiered Access blog posts, please see: