Tiered Access request review process and updated statistics

It’s been quite some time since our last Tiered Access statistics update. In the interim, we’ve been hard at work managing requests for disclosure of previously public registration data and, before jumping into the numbers, we wanted to share what this work looks like.

Our review process

Our Tiered Access team reviews each data disclosure request we receive, considering a number of factors including the domain and any content hosted on the domain, the presence or absence of our Whois Privacy service, the identity of the requestor, and their stated purpose for requesting the data.

A decision to disclose domain name registration data carries the risk of upsetting the domain owner, which could result in calls to their reseller, messages to our legal team, and possibly even a report to a relevant supervisory authority. More important than the potential upset, however, is the risk of processing personal data without an adequate legal basis and helping another entity to do so.

That said, decisions not to disclose can also carry significant consequences. The requestor may well have a legitimate aim in mind, with a solid legal need for the data underlying their request.

Whether we disclose or not, someone is likely to be unhappy, which is why it’s so important that our process is centered around meaningful human review of each individual request: every decision we make needs to be backed up with legal expertise and grounded in thoughtful consideration of the unique situation at hand.

In June, we started charging a reasonable fee for the time and effort expended reviewing the hundreds of disclosure requests we receive, similar to the EPDP Phase 2 Team’s recommendation that ICANN’s Standardized System for Access and Disclosure (SSAD) operate on a cost-recovery basis. The time and effort spent reviewing these requests is not negligible and the task cannot be passed off to automated systems; as we have discussed both in this post and in previous blogs, human review is essential in order to consider all the factors and balance the requestor’s legal basis against the data subject’s rights. This is compounded by the rate of invalid requests—even from third parties who have previously submitted legitimate ones—and means we cannot simply trust that every request we receive is reasonable and grounded in a lawful basis.


Tiered Access statistics for period 5

And now, on to the data! We’ve published these updates fairly regularly over the last couple of years:

Period 5 now covers from September 2020 through to the end of August 2021. Because the periods are not a consistent length, all comparisons between periods use percentages rather than actual figures.

Disclosure request outcomes, period 5

Here are the outcomes of the 1108 requests we received during this period:

Our disclosure rate remained stable in period 5 (75% in period 4 to 74% in period 5), while denied requests dropped from 11% to 9%. We still attribute this to our educational outreach, both to requestors specifically and to the general public in various contexts.

The total number of requests received since we began tracking this in May 2018, is 4478.

Compared against previous reporting periods

Requests over time

Here’s an illustration of the total volume of requests Tucows has received since the launch of our Tiered Access platform. There are fluctuations in our request volumes, but the monthly totals tend to fall within a consistent range (with the exception of spikes in November 2018, and November 2020):



Disclosure request outcomes, compared

The rate of requests resulting in disclosure of registration data remained stable from period 4 to period 5:

Incomplete or abandoned requests increased only slightly from period 4 to period 5, but we remain optimistic, as the rate remains fairly low overall, and is much lower than when the request process was first implemented:

The rate of denied requests dropped a bit (by 2%) from period 4 to period 5 but has not exceeded 11% in any period:

Requests for contact data associated with privacy-protected domains increased slightly in period 5; the trend we identified in period 4 has continued: specific requestors are aware that the domains in question use Whois Privacy and that Tiered Access is therefore not an appropriate way of getting access to the associated registration data, but they make the request anyway:



Duplicate requests

Period 5 saw no duplicates from multiple sources, while the rate of duplicate requests from the same source dropped from 3% in period 4 to 1% in period 5:

 



Requests by requestor category

We group requestors into four main categories:

  • Law enforcement, carrying out an investigation or otherwise in the course of their work
  • Security researchers, who use certain aggregate data to identify trends in digital abuse
  • Commercial litigation, requesting disclosure of personal data in order to bring a legal claim of rights against the registrant
  • Other, which includes certificate authorities, resellers, private individuals, and sometimes even the registrants themselves

As in previous periods, the vast majority of requests are sent in by commercial litigators: 87% in period 5, compared to 85% in period 4. In fact, we receive so many requests from commercial litigators that it drives other categories off the charts. Security researchers, a category of requestors frequently raised and touted as needing urgent access to previously public whois information, are represented in this chart by only one request in period 5. Not 1% of all requests but one single request in this category.

We had a small set of requests from both law enforcement (9%, down from 12% in period 4) and other types of requestors (less than 1% in period 5, down from 3%). We note that, for period 5, the rate of commercial litigation requests outweighs law enforcement requests almost exactly 10 to 1, a ratio that has been reasonably stable throughout our reporting periods.

We look forward to continuing to track the disclosure of previously public domain name registration data, including sharing the statistics for future review and insight into our industry.