[registrars] [Fwd: Preliminary statement of registrar practices related to providing non-public data to law enforcement and 3rd party requesters]
I have been asked by the Whois TF to describe how registrars deal with requests for access to data that is not published in the Whois. Based on a limited set of interviews with other registrars, and our own practices, I have put together this document. This document is not definitive in any way - I have only put 30-45 minutes total time (data gathering and typing) into developing this statement. If your registrar deals with these types of requests differently, or sees different types of requests even, I would appreciate it if you could drop me a line. Thanks in advance for your assistance, -ross -------- Original Message --------Subject: Preliminary statement of registrar practices related to providing non-public data to law enforcement and 3rd party requesters Date: Tue, 14 Nov 2006 18:43:31 -0500 From: Ross Rader <ross@xxxxxxxxxx> Reply-To: ross@xxxxxxxxxx Organization: Tucows Inc. To: gnso-dow123@xxxxxxxxxxxxxx Disclaimer: The following is an early stage statement of how registrars typically deal with requests from 3rd parties and law enforcement agencies for access to data that is not otherwise disclosed through whois or other publicly accessible means. This document is not a proposal, it is a statement of current practice. It is not exhaustive and other processes and practices may be in use by registrars. These other practices may or may not be consistent with this description. This is not an official submission of the registrar constituency. These statements are the observations of one individual based on discussions with larger ICANN accredited registrars. These statements would benefit from further review, discussion and input from the registrar community. ---- There are two different classes of requests for registration information. 1) Requests for information about registrations that are managed through a private registration or registration proxy service (a "type 1" request) 2) Requests for information for regular, non-proxy/non-private registrations. (a "type 2" request) These requests are typically dealt with differently by registrars. Requests are typically taken in by a single point of contact at a registrar which liaises with or escalates to the registrars legal department or staff. Type 1 requests for information that would otherwise be in the whois, but are "hidden" by a private registration or registration proxy service are typically granted to law enforcement entities or 3rd parties who are able to make a good faith showing that they have a legitimate need for the data requested. These requests are granted on a case-by-case basis, as appropriate to the specific situation. The Registrar legal department or staff are typically the final arbiters of what information is disclosed and what is not. In a typical case, after the request has been deemed to have been made in good faith, the information is disclose to the requester. Law enforcement requests are typically given priority over other requests and are subject to a much lower threshold than more regular 3rd party civil requests. The terms of service for the private registration or registration proxy service will typically disclose the terms and conditions upon which this type of registration information will be disclosed. In international instances, law enforcement requests coming from other countries may be requested to coordinate with local law enforcement officials before a request is considered. Type 2 requests for information cover registration and related data that would not normally be found in whois, such as credit card data, usage information and other sensitive information, a similar process is followed, but the bar is much higher. Typically, 3rd party requests are not granted, except in very specific and limited circumstances where immediate danger, loss of life or other specific immediate threat can be specifically demonstrated. In the majority of instances, 3rd parties are requested to use legal means to access the data. Type 2 requests coming from law enforcement entities are not always held to such a high standard, but using legal means such as a subpoena or other similarly formal means is definitely encouraged. The primary criteria being the nature of the data being requested, the applicable law pertaining to the acquisition, retention and disclosure of the data in question, the perceived urgency of the request (i.e. whether or not immediate danger, loss of life or other specific immediate threat can be specifically demonstrated). Some registrars choose to channel type 2 requests exclusively through more formal legal channels such as a civil investigative demand, subpoena or other similarly formal means. This typically depends on the nature of the relevant laws that the registrar conducts business under. --- If there is interest I would be pleased to describe these practices in terms of how specific registrars have implemented these practices. |