RDRS usage stabilizing?
Usage of ICANN’s experimental Registration Data Request Service may have hit what might in future pass for normal levels, with not a massive amount of fluctuation across several key statistics for the last few months.
But ICANN’s latest monthly stats report, published late last week, shows that July was the worst month so far in terms of closed Whois data disclosure requests, dipping into double digits for the first time since its launch in late 2023.
There were 164 disclosure request in July, down from 169 in June but up on May’s low point of 154. The mix of requester types tilted towards IP owners — 40% versus a lifetime average of 33% — while law enforcement was down.
Only 97 requests were closed during the period, a third consecutive all-time low down from 134 in June and 140 in May. Approved requests were at 22.72% while denied requests were at 65.79%, a slight improvement in terms of the approved/denied mix compared to June.
It took a bit longer to get a request approved in July — 9.3 days on average versus 6.59 in June and a lifetime average of 7.19 days. The median time-to-approval since launch is still two days.
Getting a request denied took about half as long in the period — 10.7 days versus 19.46 in June. The median value is also still two days.
Two new, smaller registrars — one Chinese, one Moroccan — joined the project, and none quit, leading to a total of 92. Registrar coverage remained at 59% of registered gTLD domains.
The number of RDRS queries for domains held at unsupported registrars was down at 27.86% compared to a lifetime average of 29.7% but up against June’s 23.31%.
RDRS stats improve a little in June
ICANN’s Registration Data Request Service saw a small improvement in usage and response times in June, but it did lose a registrar, according to statistics published today.
There were 170 requests for private Whois data in the month, up a little from May’s historic low of 153, and 20.88% were approved, compared to 20.29% in May.
The mean average response time for an approved request was down to 6.59 days, from 11.34 days in May and April’s huge 14.09 days. Since the RDRS project began last November, the median response time is two days.
Smaller registrar OwnRegistrar opted out of the program during the month, but the coverage in percentage terms held steady at 59%, with 90 registrars of various sizes still participating.
RDRS usage hits all-time low
Usage of ICANN’s Registration Data Request Service, which lets people submit Whois queries to registrars, hit a new low in May, six months after its launch.
RDRS was used to submit 156 requests for private Whois data in the period, the lowest number to date. In December, there were 173 requests; the peak was 290 the following month.
While requests from law enforcement held at 46, requests from IP holders, which had peaked at 117 in February, dipped a little between April and May, going from 43 to 37.
The mix between approved and denied requests was pretty much unchanged — about 20% of requests get approved and about 70% get denied.
The number of RDRS queries (domain lookups that don’t necessarily result in a request) was also at at all-time monthly low, at 1,393, from a December peak of 2,349 and April’s 1,435. Only a quarter of queries were for supported domains, down from 30% in April.
The wait time for approval shortened a little, having topped out at a massive 14 days in April, to an average of 11.34 days. Denials took on average 9.77 days.
Three more registrars joined the voluntary service in May, and none left. One of the newcomers was a second Alibaba accreditation, which brought in 3.5 million domains and raised the overall service coverage from 57% to 59% of all gTLD domains.
One way of spinning the numbers would be to say that RDRS users have become disillusioned with the service, another would be to say they are done kicking the tires and seeing what they can get away with, have discovered its limitations, and are now using it as intended.
ICANN restarts work on controversial Whois privacy rules
ICANN is to bring in new rules for Whois privacy and proxy services, the best part of a decade after they were first proposed to massive controversy.
It’s looking for volunteers to work with Org staff on implementing policy recommendations that in 2015 led to tens of thousands of people expressing outrage about the dangers, as they saw it, of their privacy being breached.
ICANN is putting together an Implementation Review Team to help implement the recommendations of the Privacy and Proxy Services Accreditation Issues Policy Development Process, known as PPSAI, which sought to bring privacy/proxy services under ICANN’s regulatory umbrella.
The recommendations were hugely controversial in their first draft, which in a minority statement expressed the view that people should be banned from using their domains commercially if they were using privacy services.
But the IRT will be tasked with implementing the final draft, which expunged the calls for such a ban.
The policy still calls for ICANN to run an accreditation system for privacy/proxy services in much the same way as it accredits registrars. It also lays out rules for how such services should gather registrant data and how to treat customer interactions.
But the recommendations are undeniably from a different era, thunk up before the EU’s General Data Protection Regulation made privacy-by-default essentially the industry standard for Whois records.
The PPSAI recommendations now interact with policies and practices that have been adopted in the intervening years, such as the recent Registration Data Policy and the Registration Data Request Service.
People willing to donate 10 to 20 hours a month to the new IRT can check out more details here.
It now takes TWO WEEKS to get a Whois record with RDRS
There’s been a shocking increase in the time it takes to get a Whois record disclosed under ICANN’s Registration Data Request Service, according to the latest monthly data.
It took on average 14.09 days to have a request for private Whois data approved using RDRS in April, more than double the previous high, recorded in February, of 6.92 days, the data shows. The average since the system launched at the end of November is 6.73 days.
The average time to have a request denied was 11.26 days, up from 6.17 days in March, the data also shows.
RDRS is a mechanism that allows people — largely intellectual property interests and law enforcement — to request unredacted domain ownership information. ICANN doesn’t handle the requests, it just forwards them to the responsible registrar.
It’s not obvious from the data why requests in April suddenly took so much longer to approve. Any number of reasons, from technical problems to a shift in the mix towards particularly sluggish registrars, could have thrown the average.
The percentage of requests that were approved was down very slightly compared to March, at 19.16% compared to 20.26%. Denied requests were up to 71.26% compared to 69.5% in March. Requests were largely denied because of data protection law or because the requester didn’t provide enough information.
Since RDRS launched five months ago, there have been 1,215 disclosure requests, 210 of which were approved. That works out to about 1.36 approved requests per day.
Registrar coverage improved a little in April, with three registrars newly listed and one (Sweden’s Ilait AB, which has about 6,000 domains) removed. The number of gTLD domains covered as a percentage remained flat at 57%.
ICANN has spent almost $2 million on RDRS to date. It’s a two-year pilot, and at some point it will have to be decided whether the expense is worth it.
Alibaba, Name.com among new RDRS opt-ins
Eleven registrars representing millions of domain names signed up to support ICANN’s Registration Data Request Service last month. One registrar dropped out.
One of Chinese tech giant Alibaba’s registrars was among the additions. Alibaba Cloud Computing (Beijing), which has 2.6 million names under management, is a notable addition given that one of its sister registrars was recently hit with an ICANN Compliance action due to alleged abuse inaction.
Also opting in to the Whois band-aid service were Identity Digital’s Name.com (2.2 million names), three of its sister companies, and Newfold Digital’s Register.com (1.5 million names). Nominalia, P.A Vietnam, and Ubilibet also signed up.
Realtime Register dropped out of the voluntary service, the third registrar to opt out since RDRS launched in Novemeber.
ICANN says its coverage is now 57% of the total gTLD domains out there, up from 55% in February. It has 86 registrars on-board in total, including most of the largest.
RDRS is a two-year pilot that offers people who want access to private Whois records, largely intellectual property interests and law enforcement, a simpler way to connect with the registrars holding that data.
Some registrars have already quit ICANN’s Whois experiment
ICANN’s two-year experiment in helping connect Whois users with registrars has grown its pool of participating registrars over the last few months, but it has lost a couple of not-insignificant companies along the way.
The Registration Data Request Service launched in November, promising to provide a hub for people to request the private data in Whois records, which is usually redacted. Monthly usage reports, first published in January, showed 72 registrars had joined the scheme at launch.
That number was up to 77, covering about 55% of all registered gTLD domain names, at the end of February, the latest report shows. Seven more registrars have signed up and two have dropped out.
The newbies include WordPress creator Automattic, which has 1.1 million names, PublicDomainRegistry, which has 4.4 million, Register.it, which has 666,000, and Turkiye’s METUnic, which has 235,000.
The two registrars quitting the project, apparently in January, are Combell (formerly Register.eu), which has 1.3 million domains, and Hong Kong’s Kouming.com, which has 57,000.
The latest data shows that RDRS returns a “registrar not supported” error 32.7% of the time.
The running total of requesters was up by 607 to 2937 in February, ICANN’s data shows. They filed 246 requests in the month for an RDRS total of 754 so far. Intellectual property owners were the main users, followed by law enforcement and security researchers.
There were 64 approved requests — where the registrar handed over the Whois data — to make a to-date total of 133. On 50 occasions requests were turned down because the registrar decided it could not turn over the data due to privacy law. These stats break down to 20% approval and 70% denial.
It took an average of 6.92 days to approve a given request — a steep incline from the 3.89 days in January — and 2.92 to deny one.
The full report, containing much more data, can be read as a PDF here.
Whois policy published without life-saving disclosure rule
ICANN has updated its Registration Data Policy, the rules that govern what data registries and registrars need to collect from registrants and when to publish or supply it through Whois lookups or disclosure requests.
When it becomes enforceable in August next year, the new RDP will make full-fat ICANN Whois policy compliant with EU privacy law for the first time since the General Data Protection Regulation came into effect in May 2018.
But the new policy, which replaces a functionally very similar temporary policy, is notable not only for the extraordinary amount of time it took to produce, but also for not containing a disputed requirement for registrars and registries to quickly turn over private Whois data when human life is at risk.
The policy dictates what contact information registrars must collect from their customers, what they must share with their registries, escrow agents and others, and what they must redact in the public Whois (or Registration Data Directory Services, as it will become known when Whois is retired next January).
It also says that registries and registrars must acknowledge private data disclosure requests no more than two business days after receipt and respond to the requests in full less than 30 calendar days after that, barring delays caused by “exceptional circumstances”.
But, due purely to ICANN community politicking, the policy for now omits previously considered language on “urgent” disclosure requests for use in “circumstances that pose an imminent threat to life, of serious bodily injury, to critical infrastructure, or of child exploitation”.
I’d like to think such circumstances are incredibly rare, but if there’s a situation where a Whois disclosure could help prevent a bomb going off at a major internet exchange, a trans rights activist being hounded into suicide, or a little kid getting raped on a livestream, the new ICANN policy does not account for that.
The version of the policy published in July last year (pdf) did include an urgent requests provision, requiring contracted parties to either turn over the data or tell the requester to get lost within 24 hours of receipt.
But it also contained a bunch of exceptions that could allow registrars to extend that deadline by up to three business days. When weekends and public holidays are taken into account, this could mean as much as a full calendar week to process an “urgent”, potentially life-saving request.
For that reason, the Governmental Advisory Committee wrote to ICANN (pdf) last August to ask it to revisit the policy language, chuck out the reference to “business” days, and stick to a 24-hour response window
The original Expedited Policy Development Process Working Group that came up with the policy recommendations had not specified how long registrars and registries should have to respond to urgent disclosure requests, punting that decision to the Implementation Review Team that drafted the final language.
An August 2022 draft (pdf) put out for public comment made the response window two business days, with a possible one-day extension, but this was reduced to 24 hours last year in what registrars describe as a “significant compromise” given the operational reality of responding to disclosure requests.
In August last year, the Registrars Stakeholder Group told ICANN (pdf) that its members “are committed to responding to Urgent requests in the most swift and expeditious manner possible” but said it objected to the GAC’s last-minute demands for the urgent disclosures policy to be rewritten.
From the registrars’ perspective, handling disclosure requests for personal data is not a simple ask. It’s a legal decision, balancing the privacy rights of the registrant with the rights of others to access that information.
Get it wrong, and you’re open to litigation and fines substantial enough to be expressed as a percentage of your revenue. And, money aside, who wants to be the guy who, for example, accidentally helps the Iranian morality police murder a bunch of schoolgirls for wearing the wrong type of hat?
But the argument between the registrars and the governments comes down to issues of ICANN process. Both the GAC and the RrSG claimed the urgent disclosures bunfight highlights deficiencies in ICANN multistakeholderism, but for different reasons.
ICANN’s response to this disagreement was to remove the urgent requests clauses from the policy altogether, in the hope that further talks can find a solution. Chair Tripti Sinha wrote to the RrSG and GAC a couple weeks ago to tell them:
the Board concluded that it is necessary to revisit Policy Recommendation 18 concerning urgent requests in the context of situations that pose an imminent threat to life, serious bodily harm, infrastructure, or child exploitation, and the manner in which such emergencies are currently handled. For this, we believe that consultation with the GNSO Council is required.
ICANN has essentially kicked the can, which was what the GAC had asked for. The RrSG wanted the July 2023 language (one-plus-three days) or August 2022 language (two-plus-one days) published in the final policy.
It’s stuff like this that makes one scratch one’s head, stroke one’s chin, and wonder whether ICANN really is fit for purpose.
There were 2,312 days between the day the European Commission first proposed the GDPR to the day it became effective in all EU member states.
But 2,590 days will have passed between the day the GNSO Council initiated the EPDP and the day the new Registration Data Policy will become effective on all contracted parties, next August.
The lumbering, then-28-state European Union was faster at passing policy than ICANN, even when ICANN was using an “expedited” process.
And what ICANN eventually came up with couldn’t even agree on ways to help tackle murder, economic catastrophes, and the rape of kids.
Weak demand for private Whois data, ICANN data shows
There were fewer than six requests for private Whois data per day in December, and most of those were denied, according to newly published ICANN data.
The disappointing numbers, which also show that only about 2.5% of accredited registrars are participating, show that ICANN’s new Registration Data Request Service is certainly off to a slow start.
RDRS launched in November. It’s a ticketing system that enables people to request unredacted private Whois data, with no guarantee the requests will be granted, from registrars via an ICANN portal.
As it’s a two-year trial, ICANN promised to publish usage data every month. The first such report was published today (pdf).
The report shows that 1,481 requester accounts have been created so far, but that just 174 requests were made in December — about 5.6 per day on average.
Almost a third of requesters were intellectual property interests, with domain investors at 4.5% and law enforcement at 8%. Security researchers accounted for 15% of requests.
The data shows that most requests — 80.47% — were marked as “Denied” by registrars, largely because the registrar needed more information from the requester before it could process their request. ICANN said RDRS has no visibility into whether data was ultimately handed over outside of the system.
The supply-side data isn’t particularly encouraging either. Only 72 registrars were participating in RDRS at the end of the year.
That’s 2.5% of the 2,814 registrar entities ICANN contracts with, but if we exclude the 2,000+ drop-catching shell registrars owned by the likes of TurnCommerce, Newfold Digital and Gname, participation might be more fairly said to be closer to 10%.
ICANN said that the 72 registrars, which include many of the largest, account for 53% of all registered gTLD domain names, so you might think requesters have a better-than-even chance of being able to use the system for any given domain.
That’s not the case. RDRS data requesters are finding that the domain they are querying belongs to a non-participating registrar far more often than not — 80% of queries through the system were for domains not in the system, the report shows.
And when the registrar is participating, chances are that the data request will be denied — 80% were denied versus just 11.72% approved and 1.56% partially approved.
It takes on average two days for a request to be denied and four days for a request to be approved, the report shows.
While the results to date are arguably disappointing, given the years of effort the ICANN community and staff put in to build this thing, it’s still early days.
I also think it quite likely some of the numbers have been skewed by both the Christmas and New Year holiday period and early-adopter requesters kicking the tires with spurious requests.
ICANN begs people to use its new Whois service
ICANN’s CEO has published an open letter encouraging the community to spread the word about its new Registration Data Request Service.
Sally Costerton explained (pdf) that RDRS is a “free, global, one-stop shop ticketing system” that hooks up people seeking private Whois data with the relevant registrar.
“I appreciate your attention to this new service and ask that you share this information with the relevant stakeholders in your organization,” she concludes.
The plea comes after the late-November launch of the system and the revelation that the system currently has far from blanket coverage from registrars.
“Use of the RDRS is voluntary, but I’m pleased to let you know that we have strong participation from registrars already,” Costerton wrote.
Since I published a blog post three weeks ago naming 25 large registrars not participating in RDRS, only Markmonitor has chosen to sign up, adding another one million domains to RDRS’s footprint.
But it turns out Chinese registrar Alibaba, which I was unable to check due to a bug or downtime somewhere, definitely is not participating, so there are still 25 out of the 40 registrars with over a million domains that are not participating.
Usage on the demand side is not known, but ICANN says it will publish regular monthly progress reports.
The RDRS is considered a pilot. It will run for at least two years before ICANN figures out whether it’s worth keeping.
Recent Comments