Tiered Access update: refreshed statistics and law enforcement processes

In May 2018, Tucows moved to redact all personal data from the default public Whois in order to comply with the GDPR1 and other data protection laws. Since then, the primary way for third parties to access domain name registration data that we hold is to place a request through our Tiered Access Compliance and Operations (TACO) platform. This post is the sixth in a series where we publish statistics about the data disclosure requests received through our Tiered Access platform, the goal being to provide context and transparency that supports effective discourse in the domains, ICANN, legal, and law enforcement communities, as well as the general public.

Before presenting the numbers (you can skip to those if you like), we want to speak to a concern first raised back in May 2018, and consistently ever since: that redacting data from the public Whois stymies law enforcement efforts.

Effective access to Whois data for law enforcement

Disclosing non-public personal data to law enforcement officers in the course of their duties is provided for under data protection laws—including the GDPR2—and we certainly don’t want to stand in the way of law enforcement work. We assist.

Our practices reflect this. Tucows has a physical presence in Canada, Denmark, Germany, and the United States and we treat requests from these countries’ local law enforcement as sufficient in themselves: an RCMP officer requesting previously-public Whois data in their official capacity will have it provided. Requests from foreign law enforcement (outside these jurisdictions) are treated the same as any other request: the requestor must provide the information and assurances outlined in the RrSG-recommended Minimum Required Information for Whois Data Requests3 and the request is reviewed and evaluated by our team.

This approach has worked well so far: local law enforcement gets speedy access to the information they require to pursue their investigations, while foreign law enforcement entities that provide requests in the appropriate format regularly have their requests reviewed and, where appropriate, access is quickly granted.

It should be noted that none of this applies to underlying customer data protected by our Whois Privacy service, to any historic Whois or billing information, or to any information Tucows may hold beyond publicly-redacted Whois data. In those cases, requestors must always provide a warrant (or a subpoena, for non-law enforcement requests) issued by or domesticated into one of our local jurisdictions. These types of requests are not processed through our Tiered Access system and so do not factor into the data laid out below or in past Tiered Access blogs.

Since we started tracking statistics for Tiered Access Compliance and Operations (TACO), we’ve received a total of 316 requests from law enforcement, of which 22% are from local law enforcement and 78% are from foreign law enforcement. It is not surprising that local law enforcement represents a smaller portion of overall requests—we only consider four ​​jurisdictions “local” and there are thousands of jurisdictions around the world.

These low request rates from law enforcement—especially when compared to those from commercial interests—indicate that law enforcement agents are not in need of unmasked Whois information very often. It is often complained of in the ICANN space—as well as at the European Commission—that the extra step of having to ask for previously-public data curtails legitimate law enforcement purposes. This is a common talking point used not just by law enforcement interests but by other groups that want the ability to collect Whois data en masse because of outdated business models. There is support for the argument that law enforcement suffers from gated Whois access because of the mistaken belief that, if one party can be allowed such wholesale access, in this case, law enforcement, then another party, such as private actors, will also be allowed such access. The data simply do not support this argument; by far, the parties most interested in Whois access are commercial actors and not law enforcement.

Updated Tiered Access statistics

These numbers have been tracked since January 2018 but the reporting periods in these blog posts have been admittedly arbitrary. In an effort to make the data more useful, we’re standardizing our reporting periods to be annual. If you have any suggestions for other ways we can improve these updates, please reach out.

We’re also trying something new this time: contextualizing these numbers in relation to the total number of domains under management (DUM) as of the end of the relevant year4. This provides only a snapshot, since DUM is calculated as of one single day, when in reality, the number of domains registered through the Tucows family of ​​registrars fluctuates. It still provides a sense of how the total number of requests for data compares to Tucows’ total number of registrations.

Data disclosure request outcomes

The total number of Tiered Access disclosure requests received since we began tracking in January 2018 is 4,649. Here is a look at the outcome of these requests and how that has changed over time, starting with those submitted in the most recent, not-yet-reported period: August – December 2021.

Disclosure request outcomes: Period 5 (August – December 2021)

Request outcomes from 2018 – 2021, compared

What follows is a comparison by year of various trackable statistics we think are relevant to compare in order to gauge the use of TACO and track how that use has changed over the years.

Disclosure rates from 2018 – 2021

The rate of requests resulting in disclosure of registration data dropped from 2020 to 2021, but both years remain higher than either 2018 or 2019; the overall upward trend shows that repeat requestors are increasingly familiar with what constitutes a legitimate basis for disclosure and what information they need to include in a request:

Abandoned request rates from 2018 – 2021

Abandoned requests5 doubled from 2020 to 2021 (we don’t know why this occurred) but remained well below the high rates of preceding years when we saw what seemed to be politically-motivated requests come in at high volume only to be abandoned:

Denied request rates from 2018 – 2021

Since 2019, the rate of denied requests has remained fairly steady with a consistent 1% drop year on year. The first year of requests saw very few denials in terms of percent because there were so many abandoned requests—we never got enough information to make a denial decision.

Requests for data associated with privacy-protected domains 2018 – 2021

When requests for contact data associated with Whois privacy-protected domains are received through Tiered Access, we respond with a gentle reminder that the information they can get through the public Whois is the same as the information available through TACO. It is disappointing to continue to see these requests despite ongoing reminders to repeat requestors that they need to submit adequate due process in order to obtain underlying data for customers with Whois privacy. The vast majority of these requests come from institutional requestors who are familiar with the process and may simply be checking a box for their customers to show that they “requested” the data, even though they know it won’t result in disclosure.

Requests by requestor category

We group requestors into four main categories:

  • Law enforcement, including local or foreign law enforcement as well as governmental officers carrying out an investigation or otherwise in the course of their work
  • Security researchers, who request data to identify trends in digital abuse
  • Commercial litigation, requesting disclosure of personal data in order to bring a legal claim of rights against the registrant
  • Other, which includes certificate authorities, resellers, private individuals, and sometimes even the registrants themselves

During the most recent period, the bulk of our requests come from commercial litigation, a pattern that becomes more pronounced when you look at the data since 2018:

Requests by category 2018 – 2021

There are many in commercial litigation who claim that the parties in greatest need of previously-public Whois data are law enforcement and security researchers. However, our numbers tell a different story: commercial litigation is far and away the most interested in previously-public Whois data. In fact, law enforcement and security researchers represent a very small percentage of requests—the latter group is barely even visible on the graph above (representing only half of a percent).

This is clear not just in the aggregate, as above, but annually:

Annual requests by category 2018 – 2021

We can also see a few positive trends emerge here, specifically:

  • Requests from law enforcement show a steady increase, pointing to the fact that law enforcement continue to be able to do their job while the vast majority of customers can benefit from the GDPR’s privacy requirements.
  • Law enforcement agents are becoming increasingly familiar with the process.
  • Requests from “other” categories have decreased over time as people get used to contacting registrants using an online form, accessible in the Whois output, rather than a publicly-displayed email that can easily be spammed. Early on, one of the largest subsets of “Other” included unsolicited requests to purchase a domain.

Of the 649 total requests that were received in 2021, 19% of those were abandoned; here’s how those abandoned requests break down by requestor category. Note that these are shown as a percentage of the total number of requests submitted by members of that category, not a percentage of the total abandoned requests for the year.

Abandon rates in 2021 by requestor type

While law enforcement abandonment rates are high, remember that these are solely foreign law enforcement requests—local law enforcement need make no showing beyond a request to view previously-public Whois information while foreign law enforcement must provide a legitimate reason for their request.

An overview of requests over time

Requests vs. domains under management

The number of requests we receive means more when you know how many domains we have under management. In this case, a visual representation isn’t terribly effective because the ratios are so low. Instead of a graph, we are sharing the actual numbers6:

Even when all 4649 requests for previously-public whois data are considered together, they represent only two hundredths of one percent (0.02%) of total domains under management. In a separate post to be published later this week, we’ll look at ICANN’s estimates for how many requests might go through a centralized portal and how those estimates stack up against actual data from our TACO platform.

Tucows will continue to track and report on the disclosure of previously public domain name registration data. We feel it’s important to be as transparent as possible, as this remains a topic of high concern. Tucows has found what we believe is a reasonable balance between a domain owner’s right to privacy and legitimate law enforcement needs for access to that data. Especially when compared to the domains whose data are neither requested nor disclosed, a fully-public Whois is a disproportionate solution.

If there are specific data points or sets we have not included and which you think will be useful or informative, please don’t hesitate to get in touch!

We are also pleased to provide a demo of our system to anyone who is interested in how the TACO system works.

To read our past Tiered Access blog posts, please see:

1Although the GDPR was in effect long before, it was not being enforced until May 2018.
2GDPR 6(1)(e): “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
3This document was created by the ICANN Registrar Stakeholder Group as a standard minimum set of data which must be provided in order for a request for previously-public Whois data to be evaluated for sufficiency under the GDPR. For local law enforcement (Canadian, Danish, German, and American), Tucows does not require due process before providing previously-public Whois data, though this is required for data beyond what was publicly available before May 2018; for example, data protected by a Whois privacy service. For foreign law enforcement, the RrSG-recommended Minimum Required Information for Whois Data Requests provides us with the information necessary to review and evaluate the request like any other third-party requestor.
4Domains under management (DUM) statistics include the whole Tucows Family of Registrars: Ascio (once it was acquired), EPAG, Enom, and OpenSRS, and is rounded to the nearest hundred thousand. We also manage millions of domains for other registrars which are not included in the DUM since we do not manage Tiered Access requests for these registrars.
5 Abandoned requests are defined as those where incomplete data was submitted and the requestor didn’t respond to our request for further information.
6Rounded to the nearest 100,000.