Registrars CAN charge for Whois, ICANN grudgingly admits
ICANN is powerless to prevent registrars from charging for access to non-public Whois data, the Org has reluctantly admitted.
In a recent advisory, ICANN said it is “concerned” that registrars including Tucows have been charging fees to process requests for data that would otherwise be redacted in the free public Whois.
But it said there’s nothing in the Registrar Accreditation Agreement, specifically the Temporary Specification governing Whois in the post-GDPR world, that bans such services:
While the RAA explicitly requires access to public registration data directory services to be provided free of charge, the Temporary Specification does not specifically address the issue of whether or not a registrar may charge a fee for considering requests for access to redacted registration data.
So basic Whois results, with all the juicy info redacted, has to be free, but registrars can bill organizations who ask for the veil to be lifted. ICANN wrote:
ICANN org is concerned that registrars’ imposition of fees for consideration of requests for access to nonpublic gTLD registration data may pose an access barrier. Access to registration data serves the public interest and contributes to the security and stability of the Internet
The advisory calls out Tucows’ Tiered Access Compliance and Operations system, TACO, as the primary example of a registrar charging for data, but notes that others are too.
Not long after the advisory was published, Tucows posted an article in which it explained that the fees are necessary to cover the cost of the “thousands” of automated requests it has received in the last four years.
Charging fees for compliance with other forms of legal process is not uncommon in the industry, and the vast majority of requests for registration data (approximately 90%) continue to come from commercial litigation interests and relate to suspected intellectual property infringement.
Facebook, now Meta, was at first, and may still well be, a frequent bulk filer.
Tucows said that it “frequently” waives its fees upon request for “single-use requestors and private parties”.
Setting prices for a registry or registrar service would be a direct violation of the picket fence, so it’s not a coincidence that Temp Spec didn’t address this. A policy trying to go there would be immediately voted down by all CPH, and any attempt to do that would trigger one or many accountability mechanisms.
ICANN tries to imply that this was a shortcoming of the policy, but it was not.
This is not unusual in the legal field. From Facebook’s own page for law enforcement:
“Cost Reimbursement
We may seek reimbursement for costs in responding to requests for information as provided by law. These fees apply on a per account basis. We may also charge additional fees for costs incurred in responding to unusual or burdensome requests.
We may waive these fees in matters investigating potential harm to children, Facebook, Instagram and our users, and emergency requests.”
https://www.facebook.com/safety/groups/law/guidelines/