Privacy and lawful access to personal data at Tucows

Tucows provides reasonable, lawful access to non-public registration data; this means constantly working to balance the privacy rights of registrants against the rights of third parties, most of which, in our experience, are related to intellectual property rights (90% of all requests). In addition to the usual statistics, this update also includes a deep dive into actual examples of some problematic disclosure requests, a discussion of the reasoning behind denials, and what this means for the industry conversation about disclosure requests.

These ongoing updates are intended to provide insight into the disclosure requests Tucows receives and to serve as useful data for discussion as our industry moves toward a holistic policy governing the disclosure of private data.

Tiered access statistics

The statistics discussed below include data through the end of February 2020 (“Period 3”). Each request is a request for personal data regarding the registrant of a domain where that information is not publicly available. A member of the Compliance and Legal team reviews every request individually to balance the rights of the data subject and the legitimate interests of the requestor to determine whether and how much data should be disclosed; this includes consideration of Tucows’ contractual requirements as well as applicable laws—both privacy laws and intellectual property laws. This work is time-consuming and intense but there’s no other way to make sure that we’re making the right decisions about when to disclose the personal data we’re entrusted with.

 

Requests for data disclosure

Tucows received 238 requests for data in Period 3 (from mid-October 2019 to the end of February 2020), and 2,864 requests in total since the Tiered Access portal went live in May 2018.

Previously, data for Period 1 was discussed in OpenSRS’ Tiered Access Directory: a look at the numbers and for Period 2 in Tiered Access Data Disclosure Update.

 

Disclosure request outcomes – period 3

62% of requests received in this period resulted in registration data being disclosed to the requestor

This rate of disclosure is about double what it was in the previous two periods (24% in Period 1 and 36% in Period 2), indicating higher quality requests. This is likely related to the use of the RrSG Minimum Required Information for Whois Data Requests, which was drafted by ICANN’s Registrar Stakeholder Group (RrSG) to help standardize requests for domain data disclosure. Requests that use this format are easier to review (all of the required information is included in a predictable format) and deficiencies are simple to communicate to the requestor. It may also be due to Tucows’ outreach efforts to educate requestors about this format. This higher rate should be considered illustrative of success and a positive movement toward appropriate disclosure of personal data to parties with a legitimate purpose.

 

17% of requests were incomplete and the requestor did not respond to our follow-up for further information, so no data were disclosed

Despite formal outreach and personalized responses to each request, a significant number of requests are incomplete and responses seeking further information are ignored by the requestor. This is because either there is no party on the other end to review responses that do not include data (the request is automated and not appropriately monitored) or there was no reason to make the request in the first place and pushback had the correct effect of preventing unnecessary disclosure of personal data.

 

6% of requests for data were denied, following a determination that the requestor did not have an adequate lawful basis

This represents a decrease from the previous period but is level with Period 1 and the overall rate of denied disclosure requests.

 

12% of requests resulted in “disclosure” of Whois privacy information—that is, the same placeholder information already publicly available to a requestor

Parties experienced with our data disclosure request process have recently begun to specifically request data for domains clearly indicated in the public Whois as using Tucows’ Whois privacy services. In some cases, this has been accompanied by a dropoff in requests for the personal data of registrants without Whois privacy. In other cases, there has been no dropoff in requests for non-Whois privacy domains but the format of the request has changed, indicating that the requestor is aware of the fact that there is Whois privacy on the domains but is attempting to get the underlying data without submitting a subpoena, as is Tucows’ current process.

 

Requested vs. disclosed

Compared against previous reporting periods

 

Requests over time

Here’s an illustration of the total volume of requests Tucows has received since the launch of tiered access:

The number of requests appears to have stabilized, concurrent with the increase in quality of requests. Again, this is a positive trend as both requestors and the Tucows family of registrars have acclimated to the new privacy legal landscape.

Disclosure request outcomes, compared

It may seem counterintuitive but an increase in disclosure rates means that request quality overall is improving and signals a positive move toward appropriate disclosure.

Duplicate requests

Additional information on duplicate requests can be found in OpenSRS’ Tiered Access Directory: a look at the numbers (for Period 1) and Tiered Access Data Disclosure Update (for Period 2).

 

Categories of requestors

As noted above and in previous blog posts, disclosure of registration data is only granted when the requestor has demonstrated a legal basis to access the data. While requestors can be categorized into a few broad groups, inclusion in a certain group does not determine if and which data are disclosed. Each request is—and must be—evaluated on its individual merits. Requestors, therefore, are grouped below solely for analysis’ sake. The main tracked requestor types are:

• commercial litigation, which request disclosure of personal data in order to bring a legal claim of rights against the registrant
• law enforcement, carrying out an investigation or otherwise in the course of their work
• security researchers, who use certain aggregate data to identify trends in digital abuse
• other, which includes Certificate Authorities, resellers, private individuals, and sometimes even the registrants themselves.

 

Requests by requestor type

As you can see, Commercial Litigation has made up the bulk of requests since Tucows began tracking this data. Typically, these requestors are either companies that are created specifically to request this type of information on behalf of large corporate clients or are lawyers hired or employed primarily to request this type of information.

Also included in this category, however, are individual rights holders attempting to protect their rights (sometimes intellectual property, sometimes personal privacy rights) without the advantage of a company or a lawyer devoted to that purpose. Especially in light of the Preliminary Recommendations found in the EPDP Phase 2 Team’s Initial Report, it is important to ensure that individual rights holders continue to have a reasonable means of requesting the information necessary to protect their rights.

The rate of requests by Security Researchers is deceptively low because it is counted differently. Most requests are counted by the number of domains requested; when a request is received for the entire database, however, that is counted as just one request, not millions. Some Law Enforcement requests fall into this category, as do nearly all requests from Security Researchers. We currently do not allow unfettered access to our database to anyone and are working with representatives of both groups to come up with a means of providing the data necessary to conduct their investigations while protecting the privacy rights of individuals.

The Importance of human review

We regularly receive requests for disclosure of registration data which we deny after reviewing the request, the requestor, and the relevant data (including the domain name itself and any content that may be hosted there). In the interests of transparency and advancing industry discussion on this topic, we’ll share some real-life examples of denied requests along with the reasoning behind our decision below. For some of these, the domain names in question are relevant and therefore the requestor may become evident. We should emphasize that, due to the sheer volume of requests from certain requestors, a trademark or corporation may appear more than once. This should not be taken to mean that all requests from these requestors are invalid or are treated differently than any other requestor; the domain names are simply used as examples.

It is concerning that these invalid requests which, upon meaningful review, are readily apparent as invalid even to a layperson, continue to be submitted. This underscores the fact that any attempt at automation will result in numerous false positives and that meaningful human review is essential prior to disclosure.

These requests fall into three broad categories: duplicates, an issue with the allegedly infringed trademark, or fair use. As the majority of disclosure requests Tucows has received to date are for alleged trademark infringement, the examples below may fall primarily into that category; again, it should not be assumed that this is the only type of invalid request.

Duplicate requests

Prior posts (Period 1 and Period 2) have addressed the matter of duplicates and, as there has been a statistically-significant dropoff in duplicate requests, it will not be discussed here.

Issues with the request

Many disclosure requests include a list of all trademarks potentially infringed by a specific domain or set of domains; this is not ideal as the domain name must be compared to the list rather than to a single trademark that is being infringed and it is often not apparent to the reviewer which trademark is the issue. This lack of specificity also suggests that the request originates from an automated system.

A shocking number of disclosure requests relate to domains not registered with the Tucows family of registrars—sometimes these domains are not registered at all. We have even received a disclosure request alleging trademark infringement for a domain that predated the trademark’s registration. These issues point to the limitations of automation and the necessity of meaningful human review, which we’d like to see more of on the requestors’ side.

Fair use

The final category, fair use, includes multiple examples that are obvious to a layperson as non-infringing. Not included here are edge cases that ought to be adjudicated by a competent authority (whether at UDRP or in a local court).

petrolexcompany.com
Here, the domain includes the full trademark “Rolex” but is in use by a different company whose registered name (Petrolex) includes that trademark.

instantmonogram.com
letsfacethebook.com
In each of these cases, the domain name contains the whole trademark separated by additional characters (“Insta[…]gram” or “Face[…]book”) but bears no relation to any infringement of it. While these domains no longer have any hosted content, at the time of review, they were in use by a company specializing in personalized t-shirts and other apparel and by a biblical outreach group, respectively. Both of these are clearly fair use and should never have resulted in a request for data disclosure.

boucheriefacedeboeuf.com
lincolnstainedglass.com
zharfambook.com
These do not contain the full trademark but only portions of it or portions of misspellings previously adjudicated at UDRP (here, “f…bo” and “insta”). The domains boucheriefacedeboeuf.com and zharfambook.com remain active, in use by a butcher and what appears to be a literacy site. While lincolnstainedglass.com no longer has any hosted content, at the time of review, a small stained glass company was using it for their business. Again, these are clearly fair use upon meaningful human review.

addictedtofacebook.org
banned-by-facebook.com
divestfacebook.com
facebooksucks.org
protestfacebook.org
saynotoinstagram.com
While each of these domains uses the full trademark (“Facebook” or “Instagram”), they nevertheless evince an indication that the domain is or will be used to discuss grievances with the company in question. Tucows takes no position on the merits of these discussions but notes that trademark use should not be used as a cudgel against speech.

 

The Tucows process for disclosing data remains aligned with industry best practices and we continue to be actively involved at ICANN both to closely align our processes with expected policy outcomes and to ensure that the rights of all individuals are respected in those policies. We look forward to continuing to share these statistics on a regular basis to contribute to broader industry understanding of the registration data disclosure landscape.