It’s been quite some time since our last Tiered Access statistics update. In the interim, we’ve been hard at work managing requests for disclosure of previously public registration data and, before jumping into the numbers, we wanted to share what this work looks like.
Our review process
Our Tiered Access team reviews each data disclosure request we receive, considering a number of factors including the domain and any content hosted on the domain, the presence or absence of our Whois Privacy service, the identity of the requestor, and their stated purpose for requesting the data.
A decision to disclose domain name registration data carries the risk of upsetting the domain owner, which could result in calls to their reseller, messages to our legal team, and possibly even a report to a relevant supervisory authority. More important than the potential upset, however, is the risk of processing personal data without an adequate legal basis and helping another entity to do so.
That said, decisions not to disclose can also carry significant consequences. The requestor may well have a legitimate aim in mind, with a solid legal need for the data underlying their request.
Whether we disclose or not, someone is likely to be unhappy, which is why it’s so important that our process is centered around meaningful human review of each individual request: every decision we make needs to be backed up with legal expertise and grounded in thoughtful consideration of the unique situation at hand.
In June, we started charging a reasonable fee for the time and effort expended reviewing the hundreds of disclosure requests we receive, similar to the EPDP Phase 2 Team’s recommendation that ICANN’s Standardized System for Access and Disclosure (SSAD) operate on a cost-recovery basis. The time and effort spent reviewing these requests is not negligible and the task cannot be passed off to automated systems; as we have discussed both in this post and in previous blogs, human review is essential in order to consider all the factors and balance the requestor’s legal basis against the data subject’s rights. This is compounded by the rate of invalid requests—even from third parties who have previously submitted legitimate ones—and means we cannot simply trust that every request we receive is reasonable and grounded in a lawful basis.
Tiered Access statistics for period 5
And now, on to the data! We’ve published these updates fairly regularly over the last couple of years:
- Period 1 (May 2018 – mid-February 2019): OpenSRS’ Tiered Access Directory: a Look at the Numbers
- Period 2 (Mid-February – mid-October 2019): Tiered Access Data Disclosure Update
- Period 3 (Mid-October 2019 – end of February 2020): Privacy and Lawful Access to Personal Data at Tucows
- Period 4 (March – end of August 2020): Whois History and Updated Tiered Access Statistics
Period 5 now covers from September 2020 through to the end of August 2021. Because the periods are not a consistent length, all comparisons between periods use percentages rather than actual figures.
Disclosure request outcomes, period 5
Here are the outcomes of the 1108 requests we received during this period:
Our disclosure rate remained stable in period 5 (75% in period 4 to 74% in period 5), while denied requests dropped from 11% to 9%. We still attribute this to our educational outreach, both to requestors specifically and to the general public in various contexts.
The total number of requests received since we began tracking this in May 2018, is 4478.
Compared against previous reporting periods
Requests over time
Here’s an illustration of the total volume of requests Tucows has received since the launch of our Tiered Access platform. There are fluctuations in our request volumes, but the monthly totals tend to fall within a consistent range (with the exception of spikes in November 2018, and November 2020):
Disclosure request outcomes, compared
The rate of requests resulting in disclosure of registration data remained stable from period 4 to period 5:
Incomplete or abandoned requests increased only slightly from period 4 to period 5, but we remain optimistic, as the rate remains fairly low overall, and is much lower than when the request process was first implemented:
The rate of denied requests dropped a bit (by 2%) from period 4 to period 5 but has not exceeded 11% in any period:
Requests for contact data associated with privacy-protected domains increased slightly in period 5; the trend we identified in period 4 has continued: specific requestors are aware that the domains in question use Whois Privacy and that Tiered Access is therefore not an appropriate way of getting access to the associated registration data, but they make the request anyway:
Period 5 saw no duplicates from multiple sources, while the rate of duplicate requests from the same source dropped from 3% in period 4 to 1% in period 5:
Requests by requestor category
We group requestors into four main categories:
- Law enforcement, carrying out an investigation or otherwise in the course of their work
- Security researchers, who use certain aggregate data to identify trends in digital abuse
- Commercial litigation, requesting disclosure of personal data in order to bring a legal claim of rights against the registrant
- Other, which includes certificate authorities, resellers, private individuals, and sometimes even the registrants themselves
As in previous periods, the vast majority of requests are sent in by commercial litigators: 87% in period 5, compared to 85% in period 4. In fact, we receive so many requests from commercial litigators that it drives other categories off the charts. Security researchers, a category of requestors frequently raised and touted as needing urgent access to previously public whois information, are represented in this chart by only one request in period 5. Not 1% of all requests but one single request in this category.
We had a small set of requests from both law enforcement (9%, down from 12% in period 4) and other types of requestors (less than 1% in period 5, down from 3%). We note that, for period 5, the rate of commercial litigation requests outweighs law enforcement requests almost exactly 10 to 1, a ratio that has been reasonably stable throughout our reporting periods.
We look forward to continuing to track the disclosure of previously public domain name registration data, including sharing the statistics for future review and insight into our industry.