[registrars] [Fwd: Preliminary statement of registrar practices related to providing non-public data to law enforcement and 3rd party requesters]

[Ross Rader]

I have been asked by the Whois TF to describe how registrars deal with 
requests for access to data that is not published in the Whois. Based on 
a limited set of interviews with other registrars, and our own 
practices, I have put together this document. This document is not 
definitive in any way - I have only put 30-45 minutes total time (data 
gathering and typing) into developing this statement.

If your registrar deals with these types of requests differently, or 
sees different types of requests even, I would appreciate it if you 
could drop me a line.

Thanks in advance for your assistance,

-ross

-------- Original Message --------
Subject: Preliminary statement of registrar practices related to 
providing non-public data to law enforcement and 3rd party requesters
Date: Tue, 14 Nov 2006 18:43:31 -0500
From: Ross Rader <ross at tucows.com>
Reply-To: ross at tucows.com
Organization: Tucows Inc.
To: gnso-dow123 at gnso.icann.org

Disclaimer: The following is an early stage statement of how registrars
typically deal with requests from 3rd parties and law enforcement
agencies for access to data that is not otherwise disclosed through
whois or other publicly accessible means. This document is not a
proposal, it is a statement of current practice. It is not exhaustive
and other processes and practices may be in use by registrars. These
other practices may or may not be consistent with this description. This
is not an official submission of the registrar constituency. These
statements are the observations of one individual based on discussions
with larger ICANN accredited registrars. These statements would benefit
from further review, discussion and input from the registrar community.
----

There are two different classes of requests for registration information.

1) Requests for information about registrations that are managed through
a private registration or registration proxy service (a "type 1" request)
2) Requests for information for regular, non-proxy/non-private
registrations. (a "type 2" request)

These requests are typically dealt with differently by registrars.

Requests are typically taken in by a single point of contact at a
registrar which liaises with or escalates to the registrars legal
department or staff.

Type 1 requests for information that would otherwise be in the whois,
but are "hidden" by a private registration or registration proxy service
are typically granted to law enforcement entities or 3rd parties who are
able to make a good faith showing that they have a legitimate need for
the data requested. These requests are granted on a case-by-case basis,
as appropriate to the specific situation. The Registrar legal department
or staff are typically the final arbiters of what information is
disclosed and what is not. In a typical case, after the request has been
deemed to have been made in good faith, the information is disclose to
the requester. Law enforcement requests are typically given priority
over other requests and are subject to a much lower threshold than more
regular 3rd party civil requests. The terms of service for the private
registration or registration proxy service will typically disclose the
terms and conditions upon which this type of registration information
will be disclosed. In international instances, law enforcement requests
coming from other countries may be requested to coordinate with local
law enforcement officials before a request is considered.

Type 2 requests for information cover registration and related data that
would not normally be found in whois, such as credit card data, usage
information and other sensitive information, a similar process is
followed, but the bar is much higher. Typically, 3rd party requests are
not granted, except in very specific and limited circumstances where
immediate danger, loss of life or other specific immediate threat can be
specifically demonstrated. In the majority of instances, 3rd parties are
requested to use legal means to access the data. Type 2 requests coming
from law enforcement entities are not always held to such a high
standard, but using legal means such as a subpoena or other similarly
formal means is definitely encouraged. The primary criteria being the
nature of the data being requested, the applicable law pertaining to the
acquisition, retention and disclosure of the data in question, the
perceived urgency of the request (i.e. whether or not immediate danger,
loss of life or other specific immediate threat can be specifically
demonstrated). Some registrars choose to channel type 2 requests
exclusively through more formal legal channels such as a civil
investigative demand, subpoena or other similarly formal means. This
typically depends on the nature of the relevant laws that the registrar
conducts business under.

---

If there is interest I would be pleased to describe these practices in
terms of how specific registrars have implemented these practices.