Advisory: Fees Related to Requests for gTLD Registration Data Access
The purpose of this Advisory is to raise awareness within the Internet Corporation for Assigned Names and Numbers (ICANN) community that some registrars have begun charging fees to process third-party requests for access to nonpublic generic top-level domain (gTLD) registration data.
This Advisory identifies the issues raised by this practice under current ICANN contract requirements.
One example of this practice is the Tiered Access Compliance and Operations (TACO) system, which is currently provided by Tucows Domains Inc. (Tucows). At the time of this publication, Tucows' TACO system permits third parties to request access to nonpublic registration data. As described by Tucows, "the TACO system displays previously-public Whois data."1 All requests for disclosure of data must be submitted through TACO. Users of this system must agree to the Terms of Service under which Tucows, "reserve[s] the right to bill for TACO access monthly in arrears…" ICANN organization (org) is aware that other registrars may also be charging a fee to third parties who request access to nonpublic gTLD registration data.
ICANN org is concerned that registrars' imposition of fees for consideration of requests for access to nonpublic gTLD registration data may pose an access barrier. Access to registration data serves the public interest and contributes to the security and stability of the Internet by providing contact information to support efforts related to consumer protection, cybercrime investigation, Domain Name System (DNS) abuse, and intellectual property, and to address appropriate law enforcement needs. Registration data also enables network administrators and others to identify and correct system problems and to maintain Internet stability. Domain name registration data can be used to combat spam and fraud, prosecute trademark infringement, and enhance the accountability of domain name registrants.
However, as explained below, there is not an explicit requirement in applicable agreements that contracted parties provide "free" access to nonpublic gTLD registration data.
Historically, gTLD Registration Data Was Free and Public.
Historically, access to personal data in registration data was available via a free, query-based WHOIS system, as required under the Registrar Accreditation Agreement (RAA) and Registry Agreements. The WHOIS system traces its roots to 1982, when the Internet Engineering Task Force (IETF) published a protocol for a directory service for contact information of anyone transmitting data across the ARPANET. ICANN org inherited this version of the WHOIS system when ICANN was established in 1998.
ICANN's agreements with registrars and registries prescribed Registration Data Directory Services via the WHOIS protocols, including, for example, registrars' obligation to provide free public query-based access to up-to-date data concerning all active registered names sponsored by a registrar in any gTLD, which includes domain name registration data (Section 3.3.1 of the RAA). Under ICANN's current Bylaws, and subject to applicable laws, ICANN enforces its policies relating to Registration Data Directory Services and is committed to working with the community to improve accuracy and access to gTLD registration data.
WHOIS Access Requirements Updated in Light of New Laws.
In recent years, evolution of data protection regulations across the globe impacted the legality of open access to personal data via the WHOIS system and impacted registrars' and registry operators' ability to comply with their respective obligations under ICANN agreements and policies. For example, the European Union's General Data Protection Regulation (GDPR) necessitated changes to the current ICANN agreements and related WHOIS policies.
In May 2018, the ICANN Board of Directors (ICANN Board) adopted the Temporary Specification for gTLD Registration Data (Temporary Specification), which established temporary requirements to allow compliance with existing requirements, in light of evolving privacy laws (namely, GDPR), while maintaining the existing WHOIS system to the greatest extent possible. Subsequently, the Interim Registration Data Policy for gTLDs (Interim Policy) was adopted, requiring ICANN contracted parties to continue to implement measures consistent with the Temporary Specification.
The Temporary Specification resulted in the restriction of most personal data to layered/tiered access by requiring or permitting its redaction in the public WHOIS. The Temporary Specification also included the provision that ICANN contracted parties (registrars and registry operators) must provide reasonable access to previously public registration data, now redacted under the Temporary Specification, but it did not explicitly state that such access to nonpublic registration data must be provided free of charge. In adopting the Temporary Specification, the ICANN Board emphasized in an accompanying Advisory Statement that "Consistent with the requirements in the Registry and Registrar Accreditation Agreements for emergency temporary policies, the Temporary Specification has been tailored as narrowly as possible to address the requirements of the GDPR."
The emergence of privacy regulations, such as GDPR, has necessitated additional efforts by the community to address the need for access to previously public registration data, while recognizing the burdens placed on the parties involved in processing requests for such access. These burdens include, for example, costs associated with efforts to verify the identity of a requestor, as well as requirements on registrars who need to evaluate requests in accordance with applicable law.
After the Temporary Specification went into effect, ICANN org observed that some registrars had begun charging for processing requests for access to nonpublic gTLD registration data.2 While the RAA explicitly requires access to public registration data directory services to be provided free of charge, the Temporary Specification does not specifically address the issue of whether or not a registrar may charge a fee for considering requests for access to redacted registration data.
The Consensus and Temporary Policy Specification to the Registrar Accreditation Agreement makes clear that Consensus Policies developed by the ICANN community shall not "prescribe or limit the price of registrar services." In some cases, however, fees for registration data access could be restricted by local law.3
ICANN org is raising this issue for the community's awareness of the contractual issues surrounding this practice.
1 This information was obtained on 8 September 2022 from the Tucows Tiered Access Compliance and Operations System Terms of Service, at https://tieredaccess.com/terms.
2 For example, see the Tucows Terms of Service for the use of its TACO system. Per these terms, at https://tieredaccess.com/terms, each request is individually reviewed by a Tucows staff member for sufficiency, to determine legitimacy of access, and to determine the appropriate tier of disclosure.
3 See, for example, draft Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive), at Recital 62 ("Member States should ensure that all types of access to domain name registration data (both personal and non-personal data) are free of charge"), at https://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/ITRE/DV/2022/07-13/LettertoEP_Annex_1streading_NIS2_EN.pdf.