Two important questions have been gaining traction within the ICANN community in 2025: how should registrars disclose information protected by Whois Privacy services, and should third-party proxy services be regulated as a new Contracted Party? There was a lot of conversation—both scheduled and informal—around these topics at previous ICANN meetings, and it will continue at ICANN84.

At Tucows, we’ve seen an increase in requests for disclosure of registration data protected by our Whois Privacy service, “Contact Privacy” (or “Whois Privacy Protect,” when offered through our Enom brand). Since the topic is so salient, today we’re providing a brief refresher on Whois1 Privacy services and what proxies are.

What are Whois Privacy services, and what are proxies?

ICANN’s Registrar Accreditation Agreement includes a Specification on Privacy and Proxy Registrations defining both terms. Here’s a quick summary:

A Privacy service is just that: a service that a registrar provides to its customer (the domain registrant, aka the Registered Name Holder) that replaces the registrant’s data in the Whois with the Whois Privacy service’s information. Whois Privacy service information is always published, as required by section 9.2.5 of the Registration Data Policy—the Whois output will not include blank fields. Registrars have differing rules around when and why they might disclose the ​​registrant’s information to a third party, but, like many other registrars, when a customer has Contact Privacy enabled, Tucows considers the underlying information to be business data. We typically only disclose it upon receipt of a subpoena or warrant, similar to how credit card billing information is handled.

A “proxy” service is an agreement between someone who wants to register a domain name and another person or company that acts as the official registrant. For example, a law firm might act as a proxy to register a domain on behalf of a client, so the client isn’t seen registering a domain relating to a business they haven’t yet taken public. Similarly, a website builder might register and manage domains on behalf of their customers. You might even buy a domain name for a family member who doesn’t understand how domains work. In all three cases, the proxy is the registrant; they have the relationship with the domain registrar, and their information is displayed (or obscured because of privacy laws) in the Whois output.

The difference between Privacy services and proxy registrants

Some people lump them together as “Privacy/Proxy Services,” but the difference is quite important. Let’s take a look.

The “proxy registrant” is the registrant and has full liability for anything that happens on the domain—just like every other registrant. Proxy or not, the registrar has a contract with the registrant, and the registrar can provide that registrant’s information to a third party upon balancing the rights of the registrant and the requestor. Once the requestor has the registrant information, they may take whatever legal actions they need to against that registrant.

Going back to whether third-party proxy services should be regulated as a new Contracted Party: when you consider the context above and how proxy registration works, we think it’s clear that this is not just unnecessary but undesirable. The proxy registrant is the registrant. They are already contractually bound to both the registrar’s specific requirements and the ICANN Registrant Benefits and Responsibilities. In both cases, they are subject to the outcome of the ICANN Policy Development Process.

A Whois Privacy service provider (typically the registrar) does not take on liability for what happens on the domain—only the registrant is responsible. In this context, law enforcement or an attorney may want the registrant’s name and information (often referred to as underlying data) in order to bring legal proceedings against the registrant. For those disclosure requests, we require legal due process before revealing the underlying customer data.

Handling disclosure requests

When we receive a Whois data disclosure request, one of the things we look at is whether the domain uses our Contact Privacy service. If it does, we explain that the information available publicly can be used to contact the registrant and that we respectfully request local and adequate due process before disclosing additional information or data. 

If the domain is not using our Contact Privacy service, we evaluate the request and (if approved) disclose the registrant information. We can’t know whether the registrant is a proxy registrant—no registrar can—and, in any case, they are the registrant and are responsible for any use of the domain.

Tiered Access Statistics: 1 May – 31 August 2025

We received 152 requests in this period, bringing the total since we began tracking it to 6524.

We noticed a significant increase in requests for disclosure of data relating to domains using one of our Whois Privacy services: this category made up nearly 30% of the requests we got this period, instead of hovering around 10% as usual. The bulk of this stems from Indian law enforcement looking for information about gambling websites.

Data disclosure request outcomes: new period (May – August 2025)

Urgent requests

We wrote about Urgent requests earlier this year, and intend to track that information moving forward.

In the new reporting period, we received 3 requests marked as “Urgent,” although none met the definition.

Requests by requestor category

Requests by category: new period (May – August 2025)

Law Enforcement requests were once again the most frequent requestor category in the reporting period, continuing to outnumber Commercial Litigation, which has often held the position in the past.

Requests by category since 2018

Requests by category (total)

Abandoned requests by requestor category (May – August 2025)

We continue to receive requests that are abandoned when we follow up asking for more information, including this period’s only request from the security community:

LEA request locations

We received a request from a new foreign law enforcement agency during this period: the Federation of Saint Kitts and Nevis.

We continue to receive the bulk of our LEA requests from outside our local jurisdictions, both overall and in the new reporting period. In the new period, about half as many requests came from local LEA as we saw in the overall total—meaning rates skew even more strongly towards foreign LEA than they used to.

LEA request origin (local vs foreign) – overall

LEA request origin (local vs foreign) – new period

Local LEA request breakdown (overall)

Total requests over time

To read our past Tiered Access blog posts, please see:

1We know, Whois is on the way out and RDAP is the shiny new protocol, but “registration data directory services outputs” is just too much to type. For simplicity and understanding, in this post, we’ll call it Whois.