We are very pleased to announce several updates to the Tucows TACO Platform:
- Domain registration data lookups are now automatically disclosed to the domain owner, simultaneously with the data being provided to the requestor;
- TACO users can view their own account information;
- TACO users can report inaccurate data directly through the lookup results page;
Finally, we want to share our thinking behind our decision to start billing for TACO requests, which we’ve been doing since May 2021.
Disclosure notice to domain owners
We’re committed to data protection, privacy, and transparency. We want domain owners to understand how, when, and by whom their data is processed, including when it’s disclosed to third parties. Our TACO Platform now triggers an automated notification to the domain owner any time their registration data is accessed via TACO1, ensuring they’re properly informed.
People register domain names for all kinds of reasons—building community, sharing perspectives, and, of course, offering goods and services—and, while it’s reasonable and appropriate for their registration data to be disclosed in response to well-founded third-party requests, that doesn’t mean it should happen in secret; people have the right to know what happens to their data.
This notification will be sent to the registrant automatically, as soon as we disclose their data to a third party. The notice will contain the domain name and a list of which data elements were disclosed (but not the data itself), along with the requestor’s name, email address, and the reason they provided for looking up the data. This disclosure is required under data protection laws (including the GDPR) and, beyond that, it’s the right thing to do.
View account info
TACO users will now be able to view their account information, including the contact data we have on file. This allows requestors to ensure that their information is up to date and, of course, prompts requestors to notify us to update any outdated information, helping to streamline the request review process. Having correct data on file for requestors helps us ensure that we don’t deny access to someone who has a legitimate purpose for the data.
Report inaccurate data
Since its inception, ICANN’s Whois Accuracy Program Specification has encouraged complainants to report concerns directly to ICANN, who then forwards the complaint to the relevant registrar. We’ve introduced a means for TACO users to flag outdated or inaccurate data from within the TACO search results. We think this will lead to more accurate Whois data: as they’re looking up info for a given domain, TACO users can report any incorrect data with just a couple of clicks. Of course, complaints can still go to ICANN; this just allows us to correct information (or suspend domains) that much faster, by making sure that the report goes promptly to our Compliance team.
Why billing for TACO requests is necessary
In our last update, we discussed our thoughts on due process and the demand of TACO requests for data.
When Tucows—and most other registrars—first updated the public Whois database to conceal the information of private persons, third parties with a legitimate purpose for accessing current registrant information could not get that information as easily as before. Registration data was no longer available publicly nor was it available through a subscription to a Whois information data broker, whose information quickly became stale. Understanding this—and the legitimate uses that Whois information can serve in certain circumstances—Tucows created our Tiered Access Compliance and Operations system (TACO) and began individual review of requests for previously-public Whois information.
In order to establish that a requestor has a legitimate reason to access the personal data of a domain name registrant, we must evaluate each request and balance the interests and rights of the requestor against the rights of the data subject. To smooth and standardize this process, Tucows helped draft the RrSG-recommended Minimum Required Information for Whois Data Requests, a quick reference guide for requestors that outlines the basic information that a registrar requires in order to make a reasonable evaluation of the rights involved.
Unfortunately, many bulk requestors continue to submit requests in an automated fashion, without the basic information we require to evaluate the legitimacy of their request. In doing so, they essentially outsource the evaluation of their legitimate interests to us. Tucows has received thousands of requests for previously-public Whois data since May 2018. We individually evaluate each request to balance the rights of each party, determine the sufficiency and legitimacy of the request, and provide the appropriate level of access. Because of the volume and quality of the requests, as well as the significant time and effort it takes to review them, we began to bill for this service in May 2021.
Charging fees for compliance with other forms of legal process is not uncommon in the industry, and the vast majority of requests for registration data (approximately 90%) continue to come from commercial litigation interests and relate to suspected intellectual property infringement. The remaining 10% are spread across all other types of requestors, including law enforcement, security researchers, registries, the registrants themselves, and third parties (often interested in purchasing specific domains). We are sensitive to the fact that single-use requestors and private parties may not be able to pay for the review of their disclosure requests. Requests for fee waivers are welcomed and frequently granted.
Tucows has been transparent about our process, iterations, and what we have learned through operating TACO. We have also been public about the quality of some of the reports we receive and the importance of human review of requests.
We look forward to continuing to offer an industry-leading domain name registration data disclosure platform, with built-in security and privacy protection, and to making improvements as we move forward. We remain available to discuss the TACO platform, including our disclosure statistics as well as these functionality changes, both virtually and at ICANN76. Stay tuned to this blog space for our pre-ICANN TACO Statistics Update and our post-ICANN policy recap!
1There are some circumstances where non-disclosure is ordered by a court, and, in these cases, the requestor can opt out of this automated notice.