We disclose data through TACO on a regular basis to people who have proven a “legitimate interest” (these are the requirements of GDPR). There is another way, however, to get access to the data that Tucows holds; adequate due process. Recent events in the news have underscored that due process is one of the most important civil rights that many people don’t understand. Before we launch into this period’s TACO statistics, we’re going to share our thoughts on due process and its implications on access to registrant data and our data disclosure practices at Tucows.
Due process is hard. But it’s meant to be at least a little hard as a protection of civil liberties.
In Canada—and, indeed, all common-law countries, including the United States—“due process” is related to the presumption of innocence and requires an examination of the facts of each case, recognizing the importance of protecting the legal rights of those charged—or yet to be charged—with criminal offenses. Due process is a fundamental civil right.
There are different ways that law enforcement can adhere to their due process obligations. Some of the most common are: warrant, subpoena, and civil investigative demand.
Warrants
Warrants can be related to civil or criminal matters and require submission of evidence to a court1, which reviews the evidence before deciding whether to approve the warrant. Warrants can be issued “under seal”, meaning that Tucows is legally barred from discussing the existence of the warrant, including with the person whose data are requested. This restriction is included as part of the warrant itself and typically involves a compelling demonstration that disclosure would jeopardize the investigation; it may also impose a timeline on the use of that information in bringing a case to the court. In these cases, we, of course, do not disclose the existence of the warrant.
Subpoenas
A subpoena is similar to a warrant in that it may be civil or criminal and that the requestor must present information to a court, and the court must agree that there is a good reason for the requestor to get the information they’re looking for.
Civil investigative demands are a specific kind of American federal “subpoena” that, again, requires that an agency—typically the Department of Justice—present evidence that they have to a court in order to get evidence that they do not yet have.
For all these types of due process, upon receipt of a demand issued by or valid in Canada, Denmark, Germany, or the United States, as above, Tucows will inform the registrant (or reseller, or both, as relevant); this gives them the opportunity to attempt to quash2 the request. Failing such quashing, we will comply with the due process demand, which typically results in the release of data. You can read more about Tucows’ commitments to transparency at a Well-Lit DNS and the Power of a Registrar.
A request for data as a result of adequate due process is usually a request for more data than just previously-public Whois information3. It can include historic Whois data, sometimes for the life of the domain, as well as information about the account that the domain is in, information about other domains in that account, and other information beyond just what is currently in our Whois database.
Data disclosed in response to warrants, subpoenas, or civil investigative demands are not part of what we cover in our TACO statistics reviews, but we do have some of that data and want to present it here. Here are some facts about the data Tucows has disclosed in the last few years on the basis of due process:
For our Enom brand, we have responded to almost 800 due process requests for data since we began tracking in 2017. We only started tracking rates of due process requests for OpenSRS this year, and have received just over 100 such requests so far in 2022. It’s important to note that these requests are made not only for data relating to domain owners but also for other data, including an individual or business name, an IP address (which we usually do not have), or an email address. Additionally, due process requests are often a single request for several domains or other identifiers; the request rate should be considered with that in mind as it may not directly correspond to our TACO requests (which are tracked per domain).
We can compare Enom due process requests to TACO requests submitted by law enforcement for Enom domain data. We note that subpoena rates have dropped from year to year, while correspondingly we see an increase in TACO requests from Law Enforcement Agencies.
This suggests that due process and our TACO system are both serving the role they were meant to. The changes made in our industry to appropriately minimize data as required under relevant data protection laws did not stymie law enforcement’s investigative efforts. Instead, in cases where law enforcement’s need for evidence can be fulfilled with a smaller set of data, they can obtain that information via TACO—and they do, following a much simpler process than that of obtaining a warrant, subpoena, or civil investigative demand. In cases where they need additional information, they have the tools to prove their need to a court: they follow due process.
It is as hard as it’s supposed to be—come back with a warrant.
Now, let’s look at what you came here for: TACO stats.
Tiered Access statistics, May-August 2022
The total number of Tiered Access disclosure requests received since we began tracking in January 2018 is now 5,043. Below you’ll find the outcome of these requests and how that has changed over time, starting with our new period (May to August 2022).
Data disclosure request outcomes: New Period (May-August 2022)
Request outcomes, compared:
The disclosure rate for the current reporting period is on track with the first few months of this year and 2021. We note an increase in incomplete or abandoned requests (from 16% up to 25%), and a corresponding decrease in denials (from 15% down to 7%):
Requests by requestor category
In our last blog post, we noted an increase in disclosure requests from law enforcement, attributed to one specific requestor. This has now evened out and the request rates are more similar to those of 2021 than to what we saw in the first few months of 2022.
Requests by category: new period (May-August 2022)
Requests by category since 2018
Requests by category (overall)
Requests continue to come primarily from commercial lawyers, with the second-largest set being from law enforcement:
Abandoned requests by requestor category
We note that there was only one ticket from a Security Researcher in this period, who requested data for five domains. This request was unfortunately abandoned without providing the necessary information, so we could not disclose any data in response. The abandon rate for law enforcement was also higher than in the last period (34% here, compared to 13% previously).
Total requests over time
July was a very busy month for our TACO team: a single commercial litigation requestor submitted a single request asking for data relating to just under 100 domain names, causing a visible spike in the monthly request rate. Other than that, the monthly rate for May to August 2022 remains between 30 and 50 requests per month, similar to most months in the preceding year.
We look forward to seeing you at ICANN75, whether in person or virtually, and we remain available to discuss how TACO disclosures and due process requests are handled.
To read our past Tiered Access blog posts, please see:
- OpenSRS’ Tiered Access Directory: a Look at the Numbers (May 2018 – mid-February 2019)
- Tiered Access Data Disclosure Update (mid-February – mid-October 2019)
- Privacy and Lawful Access to Personal Data at Tucows (mid-October 2019 – end of February 2020)
- Whois History and Updated Tiered Access Statistics (March – end of August 2020)
- Tiered Access request review process and updated statistics (September 2020 – end of August 2021)
- Tiered Access update: refreshed statistics and law enforcement processes (August – December 2021)
- Tiered Access update: registration data accuracy, and updated statistics (January – April 2022)
- “A Court:” when we say “court”, we mean “a judge or a magistrate authorized to preside over this type of request”: this third party ensures that the lawyer or law enforcement officer really needs the information they’re requesting and balances the rights of the data subject.
- “Quash:” a fun legal word because lawyers like to use words no one else uses: it means to void the warrant or subpoena so Tucows doesn’t have to comply with it.
- “Previously-public Whois information:” what you can see in a TACO search: the current registrant Whois information.