The first Tiered Access post of the year is always interesting because we can look back at the past year as a whole and compare it to previous years.
This time, we also have the earliest data about requests submitted to Tucows via ICANN’s new Registration Data Request Service (RDRS). This is the pilot project created to help the ICANN Board determine whether or not a permanent System for Standardized Access/Disclosure (SSAD) is worthwhile. If you regularly read our ICANN and TACO updates, you’re likely already familiar with the RDRS and potential future SSAD. In short, it’s a central intake for people who want access to previously-public Whois data; ICANN then forwards the requests to the relevant registrar. ICANN is also using the RDRS to gather industry-wide request statistics similar to what we track for our own TACO platform.
TACO vs. RDRS: statistics compared (December 2023)
ICANN has published its first set of data from the RDRS, but we’re going to focus on how requests submitted to us via the RDRS compare to those initiated directly through TACO. Since the RDRS launched in late November 2023, this section will only look at requests submitted in December 2023.
Request rates
In December 2023, we received a total of 54 registration data disclosure requests: a bit less than half were sent directly through TACO, and the rest came through RDRS. The December rate of 54 requests is higher than almost every other month in 2023, with the exception of August, which also saw 54. While the reason for the spike in August is unclear, it may be that the increase in December occurred because requestors who would not otherwise have known how to submit a request were able to do so because of RDRS.
Request outcomes
When comparing request outcomes between the TACO and RDRS platforms, there’s no statistical difference between the number of successful requests for each platform. However, more TACO-submitted requests are denied while RDRS users are twice as likely to abandon their requests.
Right now, the sample size is far too small to draw any major or lasting conclusions; it’s still interesting to look at initial numbers and watch trends as they develop.
It is also worth noting that there were four RDRS requests from people who expected that we would reveal information behind our Contact Privacy service. This is not surprising; there is a lack of clarity about what information is available through RDRS. Tucows still requires appropriate due process before revealing anything other than previously-public Whois information, and we are working with other members of the ICANN Community to better convey this.
Request types
In our TACO reporting, we sort each requestor into a category: LEA, Commercial Litigation, Security Researcher, and Other. This helps us identify broad trends (internally, we also distinguish between, for example, local and foreign law enforcement). The RDRS, in contrast, allows each requestor to assign a category to each request. This means a person can make a “law enforcement” request one day and a “litigation” request the next. While the form and function of the RDRS require this type of self-reporting, it is frustrating from our perspective—if only because it complicates comparing the two systems!
Further complicating the matter is the fact that, as you can see from the ICANN reporting, the RDRS and TACO use different category names. “Consumer Protection,” for example, could qualify as “LEA” under our rubric (such as a Secretary of State investigating a report) or as “Commercial Litigation” (such as a company representative looking for information about alleged counterfeit goods). There are also some categories that we combine into one. For example, the RDRS’ “Litigation Dispute Management” and “IP Holder” categories both count as “Commercial Litigation” in TACO.
Because the requestor selects the category as part of the submission process, we found that about half of our RDRS requests1 are miscategorized. This also means that, although ICANN has published data about request categories, these self-reported categories result in inaccurate data.
All this makes it difficult to draw comparisons between our raw TACO statistics and ICANN’s RDRS. That said, within our own reporting, we have categorized each RDRS request using the appropriate TACO term to make comparing the two systems possible. We hope this is useful.
In this period, the majority of the requests we received from LEA were submitted through our TACO platform, while the majority of requests related to commercial litigation came through the RDRS: this includes intellectual property enforcement as well as concerns about website content (e.g. defamation). The only “consumer protection” request we received through RDRS was from a lawyer representing an IP holder.
Looking at the “Other” category in a bit more detail, four of the 10 RDRS requests came from registrants themselves, which is not an appropriate or intended use of the system. As a wholesale registrar, we want our registrants to contact their reseller directly for access to their registration data. In cases where the registrant purchased the domain directly from a registrar, it’s best that they contact the registrar directly, not through ICANN. There were also requests from “domain investors.” We rarely disclose data to domain investors since there are alternative means of contacting registrants directly; we see this as a misuse of the RDRS system.
There continue to be issues around accurate requests; TACO requestors are now familiar with the process and typically include all relevant information we need to make a determination about their request. It is natural that the RDRS will have these types of growing pains too.
Tiered Access Statistics: 2023 compared to past years
Even though these will still be “Tiered Access Statistics”, note that, now, they will always include requests received through RDRS. This is because the RDRS system is not a disclosure system and TACO is—RDRS is just a request system.
We received 129 data disclosure requests in the new reporting period (September – December 2023), bringing our total since May 2018 to 5538. Below you’ll find the outcome of these requests and how that has changed over time, starting with our new period.
Data disclosure request outcomes: New Period (September – December 2023)
Request outcomes, compared
Our successful disclosure rate was a bit lower this period than last, though not the lowest we’ve seen, and incomplete or abandoned requests are, unfortunately, on the rise after a steady decline for two periods. As discussed above, we attribute this to RDRS requests; hopefully this will begin to decrease as people get familiar with the RDRS. Denials remained steady from the last period and requests for domains with Privacy or Proxy data dropped significantly. We had only one request for a domain with data that is already public, a fairly new category in our reporting.
Requests by requestor category
We like to look at the total number of requests broken down by requestor category for three time spans: the new period, the year as a whole, and since the inception of TACO.
Looking at the final months of 2023, we see that Law Enforcement was the primary requestor category, with Commercial LItigation in second place; this has been the pattern for all of 2023, although it was not in the preceding years. As seen in the “requests by category since 2018” chart, during TACO’s first five years, Commercial Litigation requests outnumbered those from Law Enforcement; this continues to skew overall totals.
Requests by category: new period (September – December 2023)
Requests by category since 2018
Requests by category (total)
Abandoned requests by requestor category (September – December 2023)
A request is considered “abandoned” when insufficient data is provided for us to make a disclosure decision and the requestor doesn’t respond to our request for more information by the time we compile the report. The chart below shows us the portion of requests submitted by each requestor group that were then abandoned; Law Enforcement is least likely to abandon requests.
Total requests over time
When we look at the total request volume since we first started operating the TACO platform in 2018, annual totals continue to drop, even if monthly rates fluctuate.
To engage in some blithe speculation, I would like to consider that this is because people have become used to the fact that Whois data is not—and should not be—freely available to all comers. RDRS does not change this state of affairs.
Number of requests, year over year
Request rates by month
If there are other metrics you’re interested in, we’d love to hear from you!
To read our past Tiered Access blog posts, please see:
- OpenSRS’ Tiered Access Directory: a Look at the Numbers (May 2018 – mid-February 2019)
- Tiered Access Data Disclosure Update (mid-February – mid-October 2019)
- Privacy and Lawful Access to Personal Data at Tucows (mid-October 2019 – end of February 2020)
- Whois History and Updated Tiered Access Statistics (March – end of August 2020)
- Tiered Access request review process and updated statistics (September 2020 – end of August 2021)
- Tiered Access update: refreshed statistics and law enforcement processes (August – December 2021)
- Tiered Access update: registration data accuracy and updated statistics (January – April 2022)
- Tiered Access update and thoughts on due process (May – August 2022)
- TACO Platform Updates
- Tiered Access update: policy check-in and updated statistics (September – December 2022)
- Tiered Access update: centralized system development and updated statistics (January – April 2023)
- Tiered Access update: “urgent” disclosure requests and updated statistics (May – August 2023)
148% of RDRS requests are miscategorized: an intellectual property lawyer indicating a law enforcement request, for example.