Welcome back to our regular Tiered Access platform statistics series! If you’re here just for the numbers, you can jump right to the stats, but first, we’re going to focus on the question of “urgent” disclosure requests.
The discussions in our last few TACO Stats posts focused on the Registration Data Request Service, intended to be a central intake point for people to make registration data disclosure requests, but this isn’t the only work relating to registration data going on right now. Readers of our ICANN Policy recap series will know that the new Registration Data Policy is almost ready for prime time and, along with changes to data collection and processing, this Policy sets out requirements for how registrars handle disclosure requests sent directly to them, including response turnaround times for both regular requests and those flagged as “urgent.”
We’d like to add some context to the conversation about “urgent” requests. Here’s how the new Registration Data Policy defines it:
“‘Urgent Requests for Lawful Disclosure’ are limited to circumstances that pose an imminent threat to life, of serious bodily injury, to critical infrastructure, or of child exploitation in cases where disclosure of the data is necessary in combatting or addressing this threat. Critical infrastructure means the physical and cyber systems that are vital in that their incapacity or destruction would have a debilitating impact on economic security or public safety.”
At first glance, it makes sense that requests relating to “urgent” situations should be prioritized. But when you think through the practicalities and take a look at our TACO data, a different perspective emerges.
From May 2018 (when we began accepting data disclosure requests through our TACO platform) through to August 31, 2023 (the end of our most recent period), we received 83 registration data disclosure requests that the requestor marked as “urgent.” Most of these relate to intellectual property, where someone’s trademark or copyright is claimed to be used without authorization 1; this also often includes investigations into online intellectual-property-related phishing. Further, the two exigent, “urgent” requests we did receive—the ones that actually fit the Policy’s definition—were looking for IP address information, not Whois data.
And when you think about it, this makes sense. Domain registration data is only rarely useful in the event that there is a life-and-death situation—instead, what is typically necessary is hosting data or information pertaining to the IP address of a forum user. When there truly is an “urgent” situation that could be benefitted by the right people obtaining the right information, that’s not happening through the TACO platform or via a registrar’s responses to registration data disclosure requests. Instead, investigators and law enforcement use every path they can find, including direct calls to the registrar.
Part of my job is to explain the Internet to law enforcement, and I’m always happy to do so. When they call the batphone, they get to me, and I can explain to them what data Tucows has—and can provide on an exigent basis—and what data we do not have. A lot of law enforcement officers who have never had to deal with a threat posted to a web-based forum don’t know—and don’t need to know—the difference between a registrar and a hosting company, or an IP address and registration data. Those conversations are conversations and are best had quickly, on the phone, not through an email thread where someone claims it is “urgent” only to ultimately get data that simply will not help them.
Creating requirements to allow for “urgent” requests that are not limited to local law enforcement means that some people will ignore the definition and flag their requests as “urgent” simply to jump the queue, flooding the inbox with requests that must be triaged immediately. Meanwhile, the situations that do relate to an imminent or immediate threat are not resolved by the disclosure of domain registration data.
It also bears noting that, of the “urgent” requests we received, 38.6% were abandoned. Even those who claimed urgency didn’t really think that the situation was exigent 2 .
When everything is “urgent,” nothing is.
Urgent requests by requestor and outcome
For those of us who like things to be presented a bit more visually, we can look at the requests marked as “urgent” broken down by requestor type and outcome. Please note that local law enforcement does not use this mechanism to get time-sensitive information.
And now, on to the new statistics!
We received 119 data disclosure requests in the current period, bringing our total since May 2018 up to 5406.
Below, you’ll find the outcome of these requests and how that has changed over time, starting with our new period (1 May – 31 August 2023).
Data disclosure request outcomes: New Period (May – August 2023)
In our last Tiered Access update, we added a new category for domains with data that is already public. During this most recent period, no requests fell into that category.
Request outcomes, compared:
Our successful disclosure rate was back up this period, after a decrease last time due to the high volume of requests for domains that were not registered with us. The rate of abandoned requests remained steady while denials dropped back down, and requests for domains with Whois Privacy enabled on them increased somewhat.
Requests by requestor category
Requests during this period were fairly evenly dispersed among law enforcement, commercial litigation, and “other,” which is a significant increase in requests attributed to the “other” category. These “other” requestors included hosting providers working on fraud investigations as well as cryptocurrency and other fraud victims seeking assistance. It also included a series of requests from a foreign government, which is not quite the same as foreign law enforcement, which is counted in the law enforcement group.
Requests by category: new period (May – August 2023)
Requests by category since 2018
Requests by category (total)
Requests from law enforcement made up 25% of total requests over the last two years and as much as 59% of requests in the first few years of TACO operations, as a result of the low request rate during TACO’s early days. However, the law enforcement portion of the overall total still remains significantly below that of the civil litigation request group, underscoring the fact that the primary usage for this system is civil litigation—and primarily intellectual property. It will be interesting to see how the rates progress over time, and if the rate of “other” requests continues to grow as it has over the past year.
Abandoned requests by requestor category (May – August 2023)
Total requests over time
Finally, we can look at the total number of requests received over just about five years of operating our TACO platform. The monthly rate still shows spikes every so often, though not as much as we saw in 2018, just before the ICANN63 meeting, which we wrote about in our very first TACO Stats post.
We hope that this information continues to be informative and look forward to seeing our ICANN community colleagues at ICANN78 in Hamburg!
To read our past Tiered Access blog posts, please see:
- OpenSRS’ Tiered Access Directory: a Look at the Numbers (May 2018 – mid-February 2019)
- Tiered Access Data Disclosure Update (mid-February – mid-October 2019)
- Privacy and Lawful Access to Personal Data at Tucows (mid-October 2019 – end of February 2020)
- Whois History and Updated Tiered Access Statistics (March – end of August 2020)
- Tiered Access request review process and updated statistics (September 2020 – end of August 2021)
- Tiered Access update: refreshed statistics and law enforcement processes (August – December 2021)
- Tiered Access update: registration data accuracy and updated statistics (January – April 2022)
- Tiered Access update and thoughts on due process (May – August 2022)
- TACO Platform Updates
- Tiered Access update: policy check-in and updated statistics (September – December 2022)
- Tiered Access update: centralized system development and updated statistics (January – April 2023)
- TACO has experienced multiple circumstances where a legal representative of an IP owner claims that the IP is being misused, but, in fact, the IP is being used with permission. ↩︎
- The one denial came about because the requestor intended to file a UDRP; pre-filing disclosure of the registration data is not necessary. Neither is a UDRP a speedy process that should result in any kind of “urgent” request. ↩︎