RDRS – A slight un-darkening of the domain-name whois landscape?

[1,2] Since the introduction of the General Data Protection Regulation (GDPR) (a European Union policy relating to information privacy) in May 2018, it is frequently the case that the domain ownership information given in whois (registration) records is significantly limited. This raises difficulties in identifying points of contact for the sending of enforcement notices in response to identified infringements and, furthermore, in the ability to be able to cluster together related findings to provide stronger indications of bad-faith activity and allow efficient bulk takedowns.

The introduction of the Registration Data Request Service (RDRS), a new pilot scheme by ICANN (the Internet Corporation for Assigned Names and Numbers), to allow registrant data for gTLD domains to more easily be requested by entities with a legitimate interest, may mediate this situation to some degree. Whilst it was already previously possible to approach registrars to request information of this type, RDRS promises to put in place a simplified and standardised methodology.

RDRS is intended to supersede the pre-existing Registration Data Access Protocol (RDAP) used for looking up public whois data through ICANN, which itself offers support for internationalisation and provides secure access. Currently for requesting non-public data, it is necessary to perform a look-up of the registrar responsible for managing an infringing domain, and then contact that registrar directly according to their communication preferences. With RDRS, however, requests can be submitted through a standardised form accessible through the user’s ICANN account. The system then connects the requestor to the relevant ICANN-accredited registrar, who then ultimately makes the decision as to whether the information should be released, based on the grounds specified. RDRS does not therefore guarantee access to the registration data, and subsequent communication between registrar and requestor is carried out outside the system.

Participation in the system is voluntary for ICANN-accredited registrars, but who are strongly encouraged to opt in. RDRS launched in November 2023, with 56 registrars opting in through early onboarding, and with another 30 having subsequently joined, meaning that the scheme currently covers just over half of all gTLD domains. In cases where a request is submitted for a domain managed by a non-participating registrar, the system will still return a PDF document with all information required to submit the request directly to the appropriate registrar through the legacy process.

Use of the RDRS system is available to any entity with a legitimate interest in non-public gTLD domain registration data, including law enforcement, consumer organisations, and IP-protection, brand-protection and cybersecurity service providers. The system also provides functionality for uploading relevant documentation, such as court orders, and provides an option for requesting an ‘expedited’ review. It connects the requestor to the relevant registrar, but does not provide a means of contacting the registry (the organisation responsible for overseeing the whole TLD) and also does not support requests for domains on restricted extensions (such as .gov or .mil) or for domains registered under privacy-protection or proxy service providers.

During the pilot period, ICANN is collecting usage data and other metrics, to allow a formal decision on the next steps for the scheme to be made. Relevant statistics are published on the ICANN website[3] on a monthly basis. The most recent report[4] covers the period until the end of March 2024, and includes a number of relevant insights, including the following points (covering the full dataset since the start of the RDRS pilot):

• To date, 1,007 disclosure requests have been submitted through the system. 360 cases have involved subsequent use of the ‘export PDF’ function for the data request form, in instances where the request pertains to a non-participating registrar.
• 2.5% of requests utilised the ‘expedited review request’ function.
• The most popular categories of requestor are: IP holder (36%), ‘other’ (21%), law enforcement (11%), consumer protection (9%) and security researcher (7%).
• 20% of requests were approved by the registrar and 70% denied, with the remainder either not relevant because data is publicly available anyway (9%) or ‘partially approved’ (1%). The most common grounds for denial were: ‘cannot disclose due to applicable law’ (30% of cited denial criteria); ‘other corrective action is first required’ (27%); and ‘request is incomplete / more information is required’ (19%).
• The average response time is 5.3 days for approved requests and 3.3 days for denied requests. 90% of responses are received within 16 and 7 days (for approved and denied requests, respectively).
• The report lists all 86 registrars currently opted in to the RDRS scheme (p. 16 of the report).

The relatively high denial rate for requests submitted in the RDRS pilot to-date raises concerns that the scheme may not prove as useful to brand owners as had been hoped; RDRS leaves the final decision on disclosure in the hands of registrars and will not necessarily change their position. For example, in Stobbs’ experience[5], US registrars generally redact registrant data due to GDRP and will refuse to provide it (even through RDRS) unless subpoenaed. The compliance rate through RDRS is lower than for the comparable scheme run by Nominet for .uk domains (for example), which also uses a dedicated form. Overall, it is possible that UDRP (Uniform Domain-Name Dispute-Resolution Policy) may still transpire to be the most effective route for unmasking redacted information in many cases going forward. However, it is significant that these developments are taking place at a time when domain registrars are coming under increasing scrutiny in response to the Registrar Accreditation Act (RAA)[6], requiring them to take action in cases where DNS abuse is detected.

References:

[1] https://international.eco.de/event/rdrs-how-to-access-whois-data-today/

[2] https://livestream.com/accounts/686369/eco-rdrs/videos/244594844

[3] https://www.icann.org/rdrs-en

[4] https://www.icann.org/en/system/files/files/rdrs-usage-metrics-15apr24-en.pdf

[5] S. Ustel, pers. comm., 02-May-2024

[6] https://www.icann.org/resources/pages/global-amendment-2024-en